AWS IAM policy change for

[joanfabregat]

This is not really a bug but a warning following the commit b041c03909bfe6d1d54afa7405704d9f25218dd1 which introduces a change in the required AWS permissions policy for the account used by schickling/mysql-backup-s3.

Previously schickling/mysql-backup-s3 required an account with only this (very simple) AWS policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::***BUCKET_NAME***/*",
                "arn:aws:s3:::***BUCKET_NAME***"
            ]
        }
    ]
}

Since the addition of the following line the backup fails with the above policy. https://github.com/schickling/dockerfiles/blob/b041c03909bfe6d1d54afa7405704d9f25218dd1/mysql-backup-s3/backup.sh#L54

The reported error message is:

Bucket BUCKET_NAME not found (or owned by someone else), attempting to create An error occurred (IllegalLocationConstraintException) when calling the CreateBucket operation: The unspecified location constraint is incompatible for the region specific endpoint this request was sent to.

The policy now requires s3:ListBucket in order to execute aws s3api head-bucket (as documented here).

The required minimum AWS permissions policy is now:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject", 
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::***BUCKET_NAME***/*",
                "arn:aws:s3:::***BUCKET_NAME***"
            ]
        }
    ]
}

Justed wanted to give a heads up to other developers running into this problem.

[matiasgarciaisaia]

For anyone around here, I'm proposing to opt-out of the new behaviour via a S3_ENSURE_BUCKET_EXISTS=no environment variable in #153 - opinions welcomed in the PR :)