Open dlibanori opened 6 years ago
Here's what permissions you might need:
bucket_exists?
. And make sure the bucket exists, otherwise there will be attempt to create it, which needs s3:CreateBucket)'x-amz-acl' => 'public-read'
, otherwise do not provide the permission and change :storage_headers
instead)After some trial and error I managed to get it working with the following permissions:
s3:GetBucketLocation
s3:GetObject
s3:GetObjectAcl
s3:PutObject
s3:PutObjectAcl
s3:DeleteObject
I am also struggling with the actual minimal IAM permissions. I am seeing a ton of 403 forbidden errors getting generated by this library and it appears to be due to the storage.sync_clock which calls ListBuckets on S3 ( a GET /) for which the IAM user does not have permissions.
Any thoughts on making sync_clock optional or use an operation the IAM user has permissions for to achieve it (it appears to ignore the error and just parse the response headers Date anyway)?
Is that all?