Comments

  • AWS S3 Access denied
    I found what the problem was.
    While in AWS CLI to change an object class it's enough 's3:GetObject' (beyond other stuff), CloudBerry does more things (not sure what) and it requires 's3:GetObject*'

    This is my working IAM permission

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:GetObject*",
    "s3:ListBucket",
    "s3:PutObject",
    "s3:Describe*",
    "s3:PutObjectAcl",
    "s3:AbortMultipartUpload",
    "s3:ListBucketMultipartUploads",
    "s3:ListMultipartUploadParts",
    "s3:RestoreObject"
    ],
    "Resource": [
    "arn:aws:s3:::<MY_BUCKET>",
    "arn:aws:s3:::<MY_BUCKET>/*"
    ]
    },
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListAllMyBuckets"
    ],
    "Resource": [
    "*"
    ]
    }
    ]
    }
  • Connect to only one S3 bucket without seeing other buckets in the AWS account
    Hi,
    This IAM policy will allow CloudBerry to list all buckets and only access the <my-bucket>

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:GetObject",
    "s3:ListBucket",
    "s3:PutObject",
    "s3:Describe*",
    "s3:PutObjectAcl",
    "s3:AbortMultipartUpload",
    "s3:ListBucketMultipartUploads",
    "s3:ListMultipartUploadParts",
    "s3:RestoreObject"
    ],
    "Resource": [
    "arn:aws:s3:::<my-bucket>",
    "arn:aws:s3:::<my-bucket>/*"
    ]
    },
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListAllMyBuckets"
    ],
    "Resource": [
    "*"
    ]
    }
    ]
    }

    If you don't want to list all buckets, remove the second json statement (ListAllMyBuckets)