IAM policy incomplete for versioned buckets

Question

IAM policy incomplete for versioned buckets

Closed this issue 8 years ago · 1 comments

I am happily using yas3fs with the suggested IAM policy, but it stopped working when I enabled versioning on a bucket. In debug mode I could see log entries such as:

Download-0000 2017-06-21T15:18:13.083 ERROR S3ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message>

I suspect this may be related to boto/boto#3219 and that the IAM policy needs to include "s3:GetObjectVersion" though I fixed this for the time being by allowing all permissions on my bucket. If I manage to determine the exact permissions required I will update this issue and raise a PR.

Answer 1 · 2017-06-22T11:34:09.000Z

Re-tested this today with tighter permissions and it seems s3:GetObjectVersion is the only additional permission needed for yas3fs to work with versioned buckets.