Minimal rights in S3 Amazon

Getting Help
1

Hello,

I’m not a pro of S3 and restic is new for me. I’m trying to setup minimal access to the S3 AWS to backu p with restic.

My first intention was to do :

s3ArchivesPolicy:
        Type: 'AWS::IAM::Policy'
        Properties:
            PolicyName: s3ArchivesWrite
            PolicyDocument:
                Version: "2012-10-17"
                Statement:
                - Effect: Allow
                  Action:
                        - 's3:ListBucket'
                  Resource: 'arn:aws:s3:::restic-dev'
                - Effect: Allow
                  Action:
                        - 's3:PutObject'
                        - 's3:GetObject'
                        - 's3:DeleteObject'
                        - 's3:PutObjectAcl'
                  Resource: 'arn:aws:s3:::restic-dev/*'
            Roles:
                - !Ref ServicesRole

But restic can’t access to S3. I have added s3:* on the resource arn:aws:s3:::restic-dev as a workaround but I would like to setup minimal permissions and not all the list.
Could you tell me what Action I need to add ?

Thanks

2

Here are 2 policy examples I use; first one append-only, second one global read-write. Those are used for minio server, but at least action names and resources should be compatible with s3:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::mybucket/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::mybucket/locks/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::mybucket"
        }
    ]
}

{
    "ID": "Policy1565782210131",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1565782085056",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::*/*"
            ]
        }
    ]
}
1 Like
3

Thank you very much. My problem was on the s3:GetBucketLocation permission.