docs: correct AWS IAM permissions in README

[capytan]

This PR corrects the IAM permissions documentation to accurately reflect the minimum required permissions for S3AssetDeploy.

Changes

• Add missing s3:GetObject permission required for reading removal manifest
• Correct the removal tracking description (appears to use JSON manifest rather than S3 object tagging)
• Fix typo: S3AsetDeploy → S3AssetDeploy
• Clarify permissions are the minimum required

Why

The current documentation mentions S3 object tagging is used for tracking removed assets, but from my investigation of the codebase, it appears that since February 2021 (commit f655480), the gem actually uses a JSON manifest file (s3_asset_deploy/removal_manifest.json) instead. I couldn't find any references to tagging APIs in the current implementation. Users following the current docs would likely encounter permission errors without s3:GetObject.

Impact

Users following the previous documentation would encounter permission errors when the gem attempts to read the removal manifest from S3. This fix ensures users configure the minimum required permissions correctly.

s3_asset_deploy/lib/s3_asset_deploy/removal_manifest.rb

Lines 90 to 94 in 40ca094

	def fetch_manifest
	resp = s3.get_object({
	bucket: bucket_name,
	key: PATH
	})

[coderabbitai]

📝 Walkthrough

Walkthrough

README.md updates the AWS IAM Permissions section: fixes a heading typo and replaces a single inline policy with a two-statement IAM policy including Version, distinct Sids, separated bucket-level and object-level resources, and moves s3:GetObject into object-level permissions.

Changes

Cohort / File(s)

Summary of Changes

Documentation README.md

Fixed heading typo (S3AsetDeploy → S3AssetDeploy). Rewrote IAM policy from one inline statement to a standard Version: "2012-10-17" policy with two Statements: AllowBucketOperations (allows s3:ListBucket on the bucket ARN) and AllowObjectOperations (allows s3:GetObject, s3:PutObject, s3:DeleteObject on bucket/*). Added explicit Sids and changed Resource usage from a single array to per-statement resource strings.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to Reviews > Disable Cache setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between fd61d4e and 2efaa6a.

📒 Files selected for processing (1)

• README.md (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• README.md

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "docs: correct AWS IAM permissions in README" succinctly and accurately summarizes the primary change in the changeset — updating README IAM permissions — and aligns with the diff that adds s3:GetObject, fixes the gem name typo, and separates bucket vs object permissions. It is concise, specific, and appropriate for a teammate scanning PR history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	The PR description directly and accurately describes the README changes: it states the addition of s3:GetObject, the S3AsetDeploy → S3AssetDeploy typo fix, and the switch from tagging to a JSON removal manifest with a code reference, which aligns with the raw_summary and PR objectives. The description is specific, on-topic, and explains the rationale and impact of the changes. It therefore meets the lenient criteria for this check.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

README.md (1)

186-186: Align the lead-in sentence with actual permissions used.

Mention object reads and tagging to prevent confusion.

-`S3AssetDeploy` requires the following AWS IAM permissions to list, put, and delete objects in your S3 Bucket:
+`S3AssetDeploy` requires the following AWS IAM permissions to list the bucket, read/write objects, and read/write object tags in your S3 bucket:

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to Reviews > Disable Cache setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 40ca094 and fd61d4e.

📒 Files selected for processing (1)

• README.md (1 hunks)

🔇 Additional comments (1)

README.md (1)

201-209: Tighten IAM: allow only s3:GetObject and s3:PutObject

Code only calls Aws::S3::Client#get_object and #put_object; no delete, tagging, or multipart S3 calls were found. Update the README policy to remove s3:DeleteObject (and no DeleteObjectTagging) and change s3:PutObject* → s3:PutObject.

• Relevant locations: lib/s3_asset_deploy/removal_manifest.rb (s3.put_object at line 44; s3.get_object at line 91), lib/s3_asset_deploy/manager.rb (put_object usage at ~175; def at 190–192). Aws::S3::Client is constructed in removal_manifest.rb (line 20), remote_asset_collector.rb (line 20), manager.rb (line 181).

[coderabbitai]

⚠️ Potential issue

Missing s3:GetObjectTagging; wildcard PutObject grants more than needed.

Docs will still break reading removal TTLs without GetObjectTagging. Also prefer least privilege over s3:PutObject*.

Apply this diff to the object-level statement:

       "Action": [
-        "s3:GetObject",
-        "s3:PutObject*",
-        "s3:DeleteObject"
+        "s3:GetObject",
+        "s3:GetObjectTagging",
+        "s3:PutObject",
+        "s3:PutObjectTagging",
+        "s3:DeleteObject"
       ],

Optional (if you ever remove all tags in one call), also include:

+        "s3:DeleteObjectTagging",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"Sid": "AllowObjectOperations",
	"Effect": "Allow",
	"Action": [
	"s3:GetObject",
	"s3:PutObject*",
	"s3:DeleteObject"
	],
	"Resource": "arn:aws:s3:::#{YOUR_BUCKET}/*"
	}
	"Sid": "AllowObjectOperations",
	"Effect": "Allow",
	"Action": [
	"s3:GetObject",
	"s3:GetObjectTagging",
	"s3:PutObject",
	"s3:PutObjectTagging",
	"s3:DeleteObject"
	],
	"Resource": "arn:aws:s3:::#{YOUR_BUCKET}/*"
	}

🤖 Prompt for AI Agents

In README.md around lines 201-209, the object-level IAM statement is missing
s3:GetObjectTagging and uses the overly-broad s3:PutObject* wildcard; update the
Action array to include "s3:GetObjectTagging" and replace "s3:PutObject*" with
explicit actions "s3:PutObject" and "s3:PutObjectTagging" (and optionally add
"s3:DeleteObjectTagging" if you may remove all tags in one call), leaving
Resource as "arn:aws:s3:::#{YOUR_BUCKET}/*".