Open airblade opened 5 months ago
Hello!
Thank you for this wonderful tool.
I set up a restrictive IAM policy as per the docs but when I started litestream I saw these Access Denied errors from S3:
$ litestream replicate time=2024-06-25T09:59:31.773Z level=INFO msg=litestream version=v0.3.13 time=2024-06-25T09:59:31.774Z level=INFO msg="initialized db" path=/var/www/example/storage/production.sqlite3 time=2024-06-25T09:59:31.774Z level=INFO msg="replicating to" name=s3 type=s3 sync-interval=1s bucket=example-backups path=app region=eu-west-2 endpoint="" time=2024-06-25T09:59:32.928Z level=INFO msg="write snapshot" db=/var/www/example/storage/production.sqlite3 replica=s3 position=01fddf43eeeec9a8/00000001:4152 time=2024-06-25T09:59:32.962Z level=ERROR msg="monitor error" db=/var/www/example/storage/production.sqlite3 replica=s3 error="AccessDenied: Access Denied\n\tstatus code: 403, request id: 3P8G16JJVW7SM3J5, host id: Qi1/C5P6/wVjnC2f/rFLgPT5pJ+uFB+3wG3ujrdfniTnUg4Ba7BjyiOJ3wN74KtraetrioVQl28=" time=2024-06-25T09:59:33.808Z level=INFO msg="write snapshot" db=/var/www/example/storage/production.sqlite3 replica=s3 position=01fddf43eeeec9a8/00000001:4152 time=2024-06-25T09:59:33.856Z level=ERROR msg="monitor error" db=/var/www/example/storage/production.sqlite3 replica=s3 error="AccessDenied: Access Denied\n\tstatus code: 403, request id: NHV63T0BNM601X3H, host id: ai52cuOUg0An2KNthN2lOmVEhuVOIWBD1yC55yJyz/HDCUw90fwV/eszVRXu9AHhnSArwe4htzo=" time=2024-06-25T09:59:34.896Z level=INFO msg="write snapshot" db=/var/www/example/storage/production.sqlite3 replica=s3 position=01fddf43eeeec9a8/00000001:4152 time=2024-06-25T09:59:34.953Z level=INFO msg="snapshot written" db=/var/www/example/storage/production.sqlite3 replica=s3 position=01fddf43eeeec9a8/00000001:4152 elapsed=57.50852ms sz=10519 time=2024-06-25T09:59:35.015Z level=INFO msg="write wal segment" db=/var/www/example/storage/production.sqlite3 replica=s3 position=01fddf43eeeec9a8/00000001:0 time=2024-06-25T09:59:35.052Z level=INFO msg="wal segment written" db=/var/www/example/storage/production.sqlite3 replica=s3 position=01fddf43eeeec9a8/00000001:0 elapsed=36.676667ms sz=4152
The snapshot and WAL files seemed to be pushed to S3 correctly, as far as I could tell.
Anyway, when I adjusted the policy and restarted litestream, there were no more errors:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": "arn:aws:s3:::<BUCKET>" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:DeleteObject", "s3:GetObject" ], "Resource": [ + "arn:aws:s3:::<BUCKET>/*" - "arn:aws:s3:::<BUCKET>/*", - "arn:aws:s3:::<BUCKET>" ] } ] }
Although I don't understand why removing a resource would prevent access-denied errors, I think that specifying the bucket as a resource for the object actions (put/delete/get) doesn't make sense.
Hello!
Thank you for this wonderful tool.
I set up a restrictive IAM policy as per the docs but when I started litestream I saw these Access Denied errors from S3:
The snapshot and WAL files seemed to be pushed to S3 correctly, as far as I could tell.
Anyway, when I adjusted the policy and restarted litestream, there were no more errors:
Although I don't understand why removing a resource would prevent access-denied errors, I think that specifying the bucket as a resource for the object actions (put/delete/get) doesn't make sense.