I’m trying to run the restic init
command to an s3 bucket that has server side encryption using KMS (SSE:KMS) enabled. I’m getting a failed: client.PutObject: Access Denied
error, however that is the same error I get when I try and run aws s3 cp
without the --sse=aws:kms
option.
I’m able to PUT an item on the s3 bucket using the aws cli as long as I include the --sse=aws:kms
option so I know the permissions are set correctly.
My thought is that restic probably uses the AWS API to create the key (or directory if you want to call it that) before it inits the repo, however it doesn’t know the bucket needs the --sse=aws:kms
option.
Here is my IAM policy to verify it’s not a permissions error:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:ListMultipartUploadParts",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:GetObjectVersion",
"s3:GetObject",
"s3:GetBucketVersioning",
"s3:GetBucketLocation",
"s3:GetAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::<removed s3 bucket name>/*",
"arn:aws:s3:::<removed s3 bucket name>"
]
},
To test further I removed the encryption from the bucket and I was able to init.