Skip to content

Document minimal AWS S3 Policy #1116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bedla wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Document minimal AWS S3 Policy #1116

bedla wants to merge 1 commit into from

Conversation

@bedla
Copy link

@bedla bedla commented Sep 16, 2025

Hi,
based on discussion at #786 I have created this PR.
Please take a look.
Thx
Ivos

@bedla bedla requested a review from a team as a code owner September 16, 2025 07:01
@bedla bedla mentioned this pull request Sep 16, 2025
Open
@bedla bedla force-pushed the feature/docs-aws-s3-policy branch from 866195b to cf6a5a0 Compare November 10, 2025 14:07
kgrando
kgrando reviewed Nov 26, 2025
View reviewed changes
docs/user_guide/barman_cloud.rst
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
Copy link

@kgrando kgrando Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing a comma here?

@kgrando
Copy link

kgrando commented Nov 26, 2025

We use Barman with the cnpg-i plugin. In our PoC, Rook Ceph RGW is used as the object store.

In this setup, I had to add s3:PutObject on the bucket itself, not only on the object scope. Without this, multipart uploads fail, while WAL file archiving still works. The error looks like this:

ERROR: Backup failed uploading data (An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: None)

I am not sure if this is specific to the RGW implementation, but it might be worth mentioning in the documentation.
Another possible fix is to include both resources in the same allow statement:

"Resource": [
  "arn:aws:s3:::${BUCKET_NAME}",
  "arn:aws:s3:::${BUCKET_NAME}/*"
]

The policy I currently use:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BucketOperations",
      "Effect": "Allow",
      "Principal": {
        "AWS": [ "arn:aws:iam:::user/${BUCKET_NAME}" ]
      },
      "Action": [
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Resource": [ "arn:aws:s3:::${BUCKET_NAME}" ]
    },
    {
      "Sid": "ObjectOperations",
      "Effect": "Allow",
      "Principal": {
        "AWS": [ "arn:aws:iam:::user/${BUCKET_NAME}" ]
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [ "arn:aws:s3:::${BUCKET_NAME}/*" ]
    }
  ]
}

I also create the bucket beforehand, so the s3:CreateBucket permission is not required when following least privilege.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kgrando kgrando kgrando left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bedla @kgrando @martinmarques