• gxvigo
    0
    Hello,

    I am testing CloudBerry Explorer for a larger project.
    From the tool I can access my S3 bucket, list and copy objects.
    I am having problems changing Storage Class of objects, when I try that I receive an 'Access Denied' error.

    I am confident that my permissions are correct because I can successfully change Storage Class from aws cli:
    aws s3 cp s3://<BUCKET>/<KEY> s3://<BUCKET>/<KEY> --storage-class STANDARD_IA

    My assumption is that CloudBerry makes a different request to S3.
    Is it possible to know what request is done or enable debug logs to view that?

    Cheers
  • gxvigo
    0
    I found what the problem was.
    While in AWS CLI to change an object class it's enough 's3:GetObject' (beyond other stuff), CloudBerry does more things (not sure what) and it requires 's3:GetObject*'

    This is my working IAM permission

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:GetObject*",
    "s3:ListBucket",
    "s3:PutObject",
    "s3:Describe*",
    "s3:PutObjectAcl",
    "s3:AbortMultipartUpload",
    "s3:ListBucketMultipartUploads",
    "s3:ListMultipartUploadParts",
    "s3:RestoreObject"
    ],
    "Resource": [
    "arn:aws:s3:::<MY_BUCKET>",
    "arn:aws:s3:::<MY_BUCKET>/*"
    ]
    },
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListAllMyBuckets"
    ],
    "Resource": [
    "*"
    ]
    }
    ]
    }
bold
italic
underline
strike
code
quote
ulist
image
url
mention
reveal
youtube
tweet
Add a Comment