Minimum AWS Configuration For CloudSync

Joseph Green -

As part of its operation, CloudSync needs to be able to Put new objects into the bucket, Delete ones that have been removed from Swift, and to check whether an object has been copied. Here's a sample IAM policy to allow cloud-sync to interact with a bucket:


```
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cloud-sync-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::cloud-sync-bucket"
]
}
]
```


The existence check uses the HeadObject API, which requires GetObject permissions. The ListBucket permission is required because if ListBucket is not allowed, checking the existence of an object will return 403 Forbidden, as opposed to 404 Not Found.

You can specify multiple buckets in the Resource clause and apply the policy to a given group or user in IAM, whose AWS Access Key ID and AWS Secret Access Key is used with CloudSync.

Have more questions? Submit a request

Comments

Powered by Zendesk