diff --git a/pages/object-storage/api-cli/bucket-policy.mdx b/pages/object-storage/api-cli/bucket-policy.mdx index bf56e4fde8..ad091c7d61 100644 --- a/pages/object-storage/api-cli/bucket-policy.mdx +++ b/pages/object-storage/api-cli/bucket-policy.mdx @@ -396,6 +396,8 @@ Bucket policies use a JSON-based access policy language, and are composed of str #### Supported actions +To view the bucket policy action corresponding to each Object Storage API operation, refer to the [dedicated documentation](/object-storage/reference-content/s3-iam-permissions-equivalence/). + ##### Supported global actions - `*` diff --git a/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx b/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx index bab19ed27e..2249cb7e41 100644 --- a/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx +++ b/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx @@ -3,475 +3,183 @@ title: Amazon S3 and IAM permissions equivalence description: Understand how IAM permissions in Amazon S3 relate to Scaleway Object Storage. tags: object-storage amazon-s3 aws action equivalent iam permission set --- +Below is a list of Object Storage API actions authorized for each [permission set](/iam/reference-content/permission-sets/). Actions that are not explicitly authorized in a permission set are denied by default. ## ObjectStorageFullAccess -| Amazon S3 action | IAM resource | IAM action | Authorized | -|---------------------------------| ------------ |------------|------------| -| DeleteBucketPolicy | Policy | Write | Yes | -| GetBucketPolicy | Policy | Read | Yes | -| GetBucketPolicyStatus | Policy | Read | Yes | -| PutBucketPolicy | Policy | Write | Yes | -| CreateBucket | Bucket | Create | Yes | -| DeleteBucket | Bucket | Delete | Yes | -| DeleteBucketCors | Bucket | Write | Yes | -| DeleteBucketLifecycle | Bucket | Write | Yes | -| DeleteBucketTagging | Bucket | Write | Yes | -| DeleteBucketWebsite | Bucket | Write | Yes | -| GetBucketAcl | Bucket | Read | Yes | -| GetBucketCors | Bucket | Read | Yes | -| GetBucketLifecycleConfiguration | Bucket | Read | Yes | -| GetBucketLocation | Bucket | Read | Yes | -| GetBucketTagging | Bucket | Read | Yes | -| GetBucketVersioning | Bucket | Read | Yes | -| GetBucketWebsite | Bucket | Read | Yes | -| HeadBucket | Bucket | Read | Yes | -| ListBuckets | Bucket | List | Yes | -| PutBucketAcl | Bucket | Write | Yes | -| PutBucketCors | Bucket | Write | Yes | -| PutBucketLifecycleConfiguration | Bucket | Write | Yes | -| PutBucketTagging | Bucket | Write | Yes | -| PutBucketVersioning | Bucket | Write | Yes | -| PutBucketWebsite | Bucket | Write | Yes | -| AbortMultipartUpload | Object | Delete | Yes | -| CompleteMultipartUpload | Object | Create | Yes | -| CopyObject | Object | Write | Yes | -| CreateMultipartUpload | Object | Create | Yes | -| DeleteObject | Object | Delete | Yes | -| DeleteObjects | Object | Delete | Yes | -| DeleteObjectTagging | Object | Write | Yes | -| GetObject | Object | Read | Yes | -| GetObjectAcl | Object | Read | Yes | -| GetObjectLegalHold | Object | Read | Yes | -| GetObjectLockConfiguration | Object | Read | Yes | -| GetObjectRetention | Object | Read | Yes | -| GetObjectTagging | Object | Read | Yes | -| HeadObject | Object | Read | Yes | -| ListMultipartUploads | Object | List | Yes | -| ListObjects | Object | List | Yes | -| ListObjectsV2 | Object | List | Yes | -| ListObjectVersions | Object | List | Yes | -| ListParts | Object | List | Yes | -| PutObject | Object | Create | Yes | -| PutObjectAcl | Object | Write | Yes | -| PutObjectLegalHold | Object | Write | Yes | -| PutObjectLockConfiguration | Object | Write | Yes | -| PutObjectRetention | Object | Write | Yes | -| PutObjectTagging | Object | Write | Yes | -| RestoreObject | Object | Write | Yes | -| UploadPart | Object | Write | Yes | -| UploadPartCopy | Object | Write | Yes | -| PostObject | Object | Create | Yes | +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| CreateBucket | - | +| AbortMultipartUpload | s3:AbortMultipartUpload | +| CompleteMultipartUpload | s3:PutObject | +| CopyObject | s3:PutObject | +| CreateMultipartUpload | s3:PutObject | +| DeleteBucketCors | s3:PutBucketCORS | +| DeleteBucketLifecycleConfiguration | s3:PutLifecycleConfiguration | +| DeleteBucketTagging | s3:PutBucketTagging | +| DeleteBucketWebsite | s3:DeleteBucketWebsite | +| DeleteObject (with a `versionId` specified) | s3:DeleteObjectVersion | +| DeleteObject | s3:DeleteObject | +| DeleteObjects (with a `versionId` specified) | s3:DeleteObjectVersion | +| DeleteObjects | s3:DeleteObject | +| DeleteObjectTagging (with a `versionId` specified) | s3:DeleteObjectVersionTagging | +| DeleteObjectTagging | s3:DeleteObjectTagging | +| GetBucketAcl | s3:GetBucketAcl | +| GetBucketCors | s3:GetBucketCORS | +| GetBucketLifecycleConfiguration | s3:GetLifecycleConfiguration | +| GetBucketLocation | s3:GetBucketLocation | +| GetBucketTagging | s3:GetBucketTagging | +| GetBucketVersioning | s3:GetBucketVersioning | +| GetBucketWebsite | s3:GetBucketWebsite | +| GetObject (with a `versionId` specified) | s3:GetObjectVersion | +| GetObject | s3:GetObject | +| GetObjectAcl | s3:GetObjectAcl | +| GetObjectAttributes (with a `versionId` specified) | s3:GetObjectVersionAttributes | +| GetObjectAttributes | s3:GetObjectAttributes | +| GetObjectLegalHold | s3:GetObjectLegalHold | +| GetObjectLockConfiguration | s3:GetBucketObjectLockConfiguration | +| GetObjectRetention | s3:GetObjectRetention | +| GetObjectTagging (with a `versionId` specified)| s3:GetObjectVersionTagging | +| GetObjectTagging | s3:GetObjectTagging | +| HeadBucket | s3:ListBucket | +| HeadObject | s3:GetObject | +| ListMultipartUploads | s3:ListBucketMultipartUploads | +| ListObjects | s3:ListBucket | +| ListObjectsV2 | s3:ListBucket | +| ListObjectVersions | s3:ListBucketVersions | +| ListParts | s3:ListMultipartUploadParts | +| PostObject | s3:PutObject | +| PutBucketAcl | s3:PutBucketAcl | +| PutBucketCors | s3:PutBucketCORS | +| PutBucketLifecycleConfiguration | s3:PutLifecycleConfiguration | +| PutBucketTagging | s3:PutBucketTagging | +| PutBucketVersioning | s3:PutBucketVersioning | +| PutBucketWebsite | s3:PutBucketWebsite | +| PutObject | s3:PutObject | +| PutObjectAcl | s3:PutObjectAcl | +| PutObjectLegalHold | s3:PutObjectLegalHold | +| PutObjectLockConfiguration | s3:PutBucketObjectLockConfiguration | +| PutObjectRetention | s3:PutObjectRetention | +| PutObjectTagging (with a `versionId` specified)| s3:PutObjectVersionTagging | +| PutObjectTagging | s3:PutObjectTagging | +| RestoreObject | s3:RestoreObject | +| UploadPart | s3:PutObject | +| UploadPartCopy | s3:PutObject | ## ObjectStorageReadOnly -| Amazon S3 Action | IAM Resource | IAM Action | Authorized | -| ------------------------------- | ------------ | ---------- | -----------| -| AbortMultipartUpload | Object | Delete | No | -| CompleteMultipartUpload | Object | Create | No | -| CopyObject | Object | Write | No | -| CreateBucket | Bucket | Create | No | -| CreateMultipartUpload | Object | Create | No | -| DeleteBucket | Bucket | Delete | No | -| DeleteBucketCors | Bucket | Write | No | -| DeleteBucketLifecycle | Bucket | Write | No | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | No | -| DeleteBucketWebsite | Bucket | Write | No | -| DeleteObject | Object | Delete | No | -| DeleteObjects | Object | Delete | No | -| DeleteObjectTagging | Object | Write | No | -| GetBucketAcl | Bucket | Read | Yes | -| GetBucketCors | Bucket | Read | Yes | -| GetBucketLifecycleConfiguration | Bucket | Read | Yes | -| GetBucketLocation | Bucket | Read | Yes | -| GetBucketPolicy | Policy | Read | Yes | -| GetBucketPolicyStatus | Policy | Read | Yes | -| GetBucketTagging | Bucket | Read | Yes | -| GetBucketVersioning | Bucket | Read | Yes | -| GetBucketWebsite | Bucket | Read | Yes | -| GetObject | Object | Read | Yes | -| GetObjectAcl | Object | Read | Yes | -| GetObjectLegalHold | Object | Read | Yes | -| GetObjectLockConfiguration | Object | Read | Yes | -| GetObjectRetention | Object | Read | Yes | -| GetObjectTagging | Object | Read | Yes | -| HeadBucket | Bucket | Read | Yes | -| HeadObject | Object | Read | Yes | -| ListBuckets | Bucket | List | Yes | -| ListMultipartUploads | Object | List | Yes | -| ListObjects | Object | List | Yes | -| ListObjectsV2 | Object | List | Yes | -| ListObjectVersions | Object | List | Yes | -| ListParts | Object | List | Yes | -| PostObject | Object | Create | No | -| PutBucketAcl | Bucket | Write | No | -| PutBucketCors | Bucket | Write | No | -| PutBucketLifecycleConfiguration | Bucket | Write | No | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | No | -| PutBucketVersioning | Bucket | Write | No | -| PutBucketWebsite | Bucket | Write | No | -| PutObject | Object | Create | No | -| PutObjectAcl | Object | Write | No | -| PutObjectLegalHold | Object | Write | No | -| PutObjectLockConfiguration | Object | Write | No | -| PutObjectRetention | Object | Write | No | -| PutObjectTagging | Object | Write | No | -| RestoreObject | Object | Write | No | -| UploadPart | Object | Write | No | -| UploadPartCopy | Object | Write | No | +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| GetBucketAcl | s3:GetBucketAcl | +| GetBucketCors | s3:GetBucketCORS | +| GetBucketLifecycleConfiguration | s3:GetLifecycleConfiguration | +| GetBucketLocation | s3:GetBucketLocation | +| GetBucketTagging | s3:GetBucketTagging | +| GetBucketVersioning | s3:GetBucketVersioning | +| GetBucketWebsite | s3:GetBucketWebsite | +| GetObject (with a `versionId` specified) | s3:GetObjectVersion | +| GetObject | s3:GetObject | +| GetObjectAcl | s3:GetObjectAcl | +| GetObjectAttributes (with a `versionId` specified) | s3:GetObjectVersionAttributes | +| GetObjectAttributes | s3:GetObjectAttributes | +| GetObjectLegalHold | s3:GetObjectLegalHold | +| GetObjectLockConfiguration | s3:GetBucketObjectLockConfiguration | +| GetObjectRetention | s3:GetObjectRetention | +| GetObjectTagging (with a `versionId` specified)| s3:GetObjectVersionTagging | +| GetObjectTagging | s3:GetObjectTagging | +| HeadBucket | s3:ListBucket | +| HeadObject | s3:GetObject | +| ListBuckets | s3:ListBucket | +| ListMultipartUploads | s3:ListBucketMultipartUploads | +| ListObjects | s3:ListBucket | +| ListObjectsV2 | s3:ListBucket | +| ListObjectVersions | s3:ListBucketVersions | +| ListParts | s3:ListMultipartUploadParts | ## ObjectStorageBucketsRead -| Amazon S3 Action | IAM Resource | IAM Action | Authorized | -|---------------------------------|--------------|------------|------------| -| AbortMultipartUpload | Object | Delete | No | -| CompleteMultipartUpload | Object | Create | No | -| CopyObject | Object | Write | No | -| CreateBucket | Bucket | Create | No | -| CreateMultipartUpload | Object | Create | No | -| DeleteBucket | Bucket | Delete | No | -| DeleteBucketCors | Bucket | Write | No | -| DeleteBucketLifecycle | Bucket | Write | No | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | No | -| DeleteBucketWebsite | Bucket | Write | No | -| DeleteObject | Object | Delete | No | -| DeleteObjects | Object | Delete | No | -| DeleteObjectTagging | Object | Write | No | -| GetBucketAcl | Bucket | Read | Yes | -| GetBucketCors | Bucket | Read | Yes | -| GetBucketLifecycleConfiguration | Bucket | Read | Yes | -| GetBucketLocation | Bucket | Read | Yes | -| GetBucketPolicy | Policy | Read | No | -| GetBucketPolicyStatus | Policy | Read | No | -| GetBucketTagging | Bucket | Read | Yes | -| GetBucketVersioning | Bucket | Read | Yes | -| GetBucketWebsite | Bucket | Read | Yes | -| GetObject | Object | Read | No | -| GetObjectAcl | Object | Read | No | -| GetObjectLegalHold | Object | Read | No | -| GetObjectLockConfiguration | Object | Read | No | -| GetObjectRetention | Object | Read | No | -| GetObjectTagging | Object | Read | No | -| HeadBucket | Bucket | Read | Yes | -| HeadObject | Object | Read | No | -| ListBuckets | Bucket | List | Yes | -| ListMultipartUploads | Object | List | No | -| ListObjects | Object | List | No | -| ListObjectsV2 | Object | List | No | -| ListObjectVersions | Object | List | No | -| ListParts | Object | List | No | -| PostObject | Object | Create | No | -| PutBucketAcl | Bucket | Write | No | -| PutBucketCors | Bucket | Write | No | -| PutBucketLifecycleConfiguration | Bucket | Write | No | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | No | -| PutBucketVersioning | Bucket | Write | No | -| PutBucketWebsite | Bucket | Write | No | -| PutObject | Object | Create | No | -| PutObjectAcl | Object | Write | No | -| PutObjectLegalHold | Object | Write | No | -| PutObjectLockConfiguration | Object | Write | No | -| PutObjectRetention | Object | Write | No | -| PutObjectTagging | Object | Write | No | -| RestoreObject | Object | Write | No | -| UploadPart | Object | Write | No | -| UploadPartCopy | Object | Write | No | +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| GetBucketAcl | s3:GetBucketAcl | +| GetBucketCors | s3:GetBucketCORS | +| GetBucketLifecycleConfiguration | s3:GetLifecycleConfiguration | +| GetBucketLocation | s3:GetBucketLocation | +| GetBucketTagging | s3:GetBucketTagging | +| GetBucketVersioning | s3:GetBucketVersioning | +| GetBucketWebsite | s3:GetBucketWebsite | +| HeadBucket | s3:ListBucket | +| ListBuckets | s3:ListBucket | ## ObjectStorageBucketsWrite -| Amazon S3 Action | IAM Resource | IAM Action | Authorized | -|---------------------------------|--------------|------------|------------| -| AbortMultipartUpload | Object | Delete | No | -| CompleteMultipartUpload | Object | Create | No | -| CopyObject | Object | Write | No | -| CreateBucket | Bucket | Create | Yes | -| CreateMultipartUpload | Object | Create | No | -| DeleteBucket | Bucket | Delete | No | -| DeleteBucketCors | Bucket | Write | Yes | -| DeleteBucketLifecycle | Bucket | Write | Yes | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | Yes | -| DeleteBucketWebsite | Bucket | Write | Yes | -| DeleteObject | Object | Delete | No | -| DeleteObjects | Object | Delete | No | -| DeleteObjectTagging | Object | Write | No | -| GetBucketAcl | Bucket | Read | No | -| GetBucketCors | Bucket | Read | No | -| GetBucketLifecycleConfiguration | Bucket | Read | No | -| GetBucketLocation | Bucket | Read | No | -| GetBucketPolicy | Policy | Read | No | -| GetBucketPolicyStatus | Policy | Read | No | -| GetBucketTagging | Bucket | Read | No | -| GetBucketVersioning | Bucket | Read | No | -| GetBucketWebsite | Bucket | Read | No | -| GetObject | Object | Read | No | -| GetObjectAcl | Object | Read | No | -| GetObjectLegalHold | Object | Read | No | -| GetObjectLockConfiguration | Object | Read | No | -| GetObjectRetention | Object | Read | No | -| GetObjectTagging | Object | Read | No | -| HeadBucket | Bucket | Read | No | -| HeadObject | Object | Read | No | -| ListBuckets | Bucket | List | No | -| ListMultipartUploads | Object | List | No | -| ListObjects | Object | List | No | -| ListObjectsV2 | Object | List | No | -| ListObjectVersions | Object | List | No | -| ListParts | Object | List | No | -| PostObject | Object | Create | No | -| PutBucketAcl | Bucket | Write | Yes | -| PutBucketCors | Bucket | Write | Yes | -| PutBucketLifecycleConfiguration | Bucket | Write | Yes | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | Yes | -| PutBucketVersioning | Bucket | Write | Yes | -| PutBucketWebsite | Bucket | Write | Yes | -| PutObject | Object | Create | No | -| PutObjectAcl | Object | Write | No | -| PutObjectLegalHold | Object | Write | No | -| PutObjectLockConfiguration | Object | Write | No | -| PutObjectRetention | Object | Write | No | -| PutObjectTagging | Object | Write | No | -| RestoreObject | Object | Write | No | -| UploadPart | Object | Write | No | -| UploadPartCopy | Object | Write | No | +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| CreateBucket | - | +| DeleteBucketCors | s3:PutBucketCORS | +| DeleteBucketLifecycleConfiguration | s3:PutLifecycleConfiguration | +| DeleteBucketTagging | s3:PutBucketTagging | +| DeleteBucketWebsite | s3:DeleteBucketWebsite | +| PutBucketAcl | s3:PutBucketAcl | +| PutBucketCors | s3:PutBucketCORS | +| PutBucketLifecycleConfiguration | s3:PutLifecycleConfiguration | +| PutBucketTagging | s3:PutBucketTagging | +| PutBucketVersioning | s3:PutBucketVersioning | +| PutBucketWebsite | s3:PutBucketWebsite | ## ObjectStorageBucketsDelete -| Amazon S3 Action | IAM Resource | IAM Action | Authorized | -|---------------------------------|--------------|------------|------------| -| AbortMultipartUpload | Object | Delete | No | -| CompleteMultipartUpload | Object | Create | No | -| CopyObject | Object | Write | No | -| CreateBucket | Bucket | Create | No | -| CreateMultipartUpload | Object | Create | No | -| DeleteBucket | Bucket | Delete | Yes | -| DeleteBucketCors | Bucket | Write | No | -| DeleteBucketLifecycle | Bucket | Write | No | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | No | -| DeleteBucketWebsite | Bucket | Write | No | -| DeleteObject | Object | Delete | No | -| DeleteObjects | Object | Delete | No | -| DeleteObjectTagging | Object | Write | No | -| GetBucketAcl | Bucket | Read | No | -| GetBucketCors | Bucket | Read | No | -| GetBucketLifecycleConfiguration | Bucket | Read | No | -| GetBucketLocation | Bucket | Read | No | -| GetBucketPolicy | Policy | Read | No | -| GetBucketPolicyStatus | Policy | Read | No | -| GetBucketTagging | Bucket | Read | No | -| GetBucketVersioning | Bucket | Read | No | -| GetBucketWebsite | Bucket | Read | No | -| GetObject | Object | Read | No | -| GetObjectAcl | Object | Read | No | -| GetObjectLegalHold | Object | Read | No | -| GetObjectLockConfiguration | Object | Read | No | -| GetObjectRetention | Object | Read | No | -| GetObjectTagging | Object | Read | No | -| HeadBucket | Bucket | Read | No | -| HeadObject | Object | Read | No | -| ListBuckets | Bucket | List | No | -| ListMultipartUploads | Object | List | No | -| ListObjects | Object | List | No | -| ListObjectsV2 | Object | List | No | -| ListObjectVersions | Object | List | No | -| ListParts | Object | List | No | -| PostObject | Object | Create | No | -| PutBucketAcl | Bucket | Write | No | -| PutBucketCors | Bucket | Write | No | -| PutBucketLifecycleConfiguration | Bucket | Write | No | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | No | -| PutBucketVersioning | Bucket | Write | No | -| PutBucketWebsite | Bucket | Write | No | -| PutObject | Object | Create | No | -| PutObjectAcl | Object | Write | No | -| PutObjectLegalHold | Object | Write | No | -| PutObjectLockConfiguration | Object | Write | No | -| PutObjectRetention | Object | Write | No | -| PutObjectTagging | Object | Write | No | -| RestoreObject | Object | Write | No | -| UploadPart | Object | Write | No | -| UploadPartCopy | Object | Write | No | +| Object Storage action | Bucket policy action required | +|---------------------------|-------------------------------| +| DeleteBucket | s3:DeleteBucket | ## ObjectStorageObjectsRead -| Amazon S3 Action | IAM Resource | IAM Action | Authorized | -|---------------------------------|--------------|------------|------------| -| AbortMultipartUpload | Object | Delete | No | -| CompleteMultipartUpload | Object | Create | No | -| CopyObject | Object | Write | No | -| CreateBucket | Bucket | Create | No | -| CreateMultipartUpload | Object | Create | No | -| DeleteBucket | Bucket | Delete | No | -| DeleteBucketCors | Bucket | Write | No | -| DeleteBucketLifecycle | Bucket | Write | No | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | No | -| DeleteBucketWebsite | Bucket | Write | No | -| DeleteObject | Object | Delete | No | -| DeleteObjects | Object | Delete | No | -| DeleteObjectTagging | Object | Write | No | -| GetBucketAcl | Bucket | Read | No | -| GetBucketCors | Bucket | Read | No | -| GetBucketLifecycleConfiguration | Bucket | Read | No | -| GetBucketLocation | Bucket | Read | No | -| GetBucketPolicy | Policy | Read | No | -| GetBucketPolicyStatus | Policy | Read | No | -| GetBucketTagging | Bucket | Read | No | -| GetBucketVersioning | Bucket | Read | No | -| GetBucketWebsite | Bucket | Read | No | -| GetObject | Object | Read | Yes | -| GetObjectAcl | Object | Read | Yes | -| GetObjectLegalHold | Object | Read | Yes | -| GetObjectLockConfiguration | Object | Read | Yes | -| GetObjectRetention | Object | Read | Yes | -| GetObjectTagging | Object | Read | Yes | -| HeadBucket | Bucket | Read | No | -| HeadObject | Object | Read | Yes | -| ListBuckets | Bucket | List | No | -| ListMultipartUploads | Object | List | Yes | -| ListObjects | Object | List | Yes | -| ListObjectsV2 | Object | List | Yes | -| ListObjectVersions | Object | List | Yes | -| ListParts | Object | List | Yes | -| PostObject | Object | Create | No | -| PutBucketAcl | Bucket | Write | No | -| PutBucketCors | Bucket | Write | No | -| PutBucketLifecycleConfiguration | Bucket | Write | No | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | No | -| PutBucketVersioning | Bucket | Write | No | -| PutBucketWebsite | Bucket | Write | No | -| PutObject | Object | Create | No | -| PutObjectAcl | Object | Write | No | -| PutObjectLegalHold | Object | Write | No | -| PutObjectLockConfiguration | Object | Write | No | -| PutObjectRetention | Object | Write | No | -| PutObjectTagging | Object | Write | No | -| RestoreObject | Object | Write | No | -| UploadPart | Object | Write | No | -| UploadPartCopy | Object | Write | No | +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| GetObject (with a `versionId` specified) | s3:GetObjectVersion | +| GetObject | s3:GetObject | +| GetObjectAcl | s3:GetObjectAcl | +| GetObjectAttributes (with a `versionId` specified) | s3:GetObjectVersionAttributes | +| GetObjectAttributes | s3:GetObjectAttributes | +| GetObjectLegalHold | s3:GetObjectLegalHold | +| GetObjectLockConfiguration | s3:GetBucketObjectLockConfiguration | +| GetObjectRetention | s3:GetObjectRetention | +| GetObjectTagging (with a `versionId` specified)| s3:GetObjectVersionTagging | +| GetObjectTagging | s3:GetObjectTagging | +| HeadObject | s3:GetObject | +| ListMultipartUploads | s3:ListBucketMultipartUploads | +| ListObjects | s3:ListBucket | +| ListObjectsV2 | s3:ListBucket | +| ListObjectVersions | s3:ListBucketVersions | +| ListParts | s3:ListMultipartUploadParts | ## ObjectStorageObjectsWrite -| Amazon S3 action | IAM resource | IAM action | Authorized | -|---------------------------------|--------------|------------|------------| -| AbortMultipartUpload | Object | Delete | No | -| CompleteMultipartUpload | Object | Create | Yes | -| CopyObject | Object | Write | Yes | -| CreateBucket | Bucket | Create | No | -| CreateMultipartUpload | Object | Create | Yes | -| DeleteBucket | Bucket | Delete | No | -| DeleteBucketCors | Bucket | Write | No | -| DeleteBucketLifecycle | Bucket | Write | No | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | No | -| DeleteBucketWebsite | Bucket | Write | No | -| DeleteObject | Object | Delete | No | -| DeleteObjects | Object | Delete | No | -| DeleteObjectTagging | Object | Write | Yes | -| GetBucketAcl | Bucket | Read | No | -| GetBucketCors | Bucket | Read | No | -| GetBucketLifecycleConfiguration | Bucket | Read | No | -| GetBucketLocation | Bucket | Read | No | -| GetBucketPolicy | Policy | Read | No | -| GetBucketPolicyStatus | Policy | Read | No | -| GetBucketTagging | Bucket | Read | No | -| GetBucketVersioning | Bucket | Read | No | -| GetBucketWebsite | Bucket | Read | No | -| GetObject | Object | Read | No | -| GetObjectAcl | Object | Read | No | -| GetObjectLegalHold | Object | Read | No | -| GetObjectLockConfiguration | Object | Read | No | -| GetObjectRetention | Object | Read | No | -| GetObjectTagging | Object | Read | No | -| HeadBucket | Bucket | Read | No | -| HeadObject | Object | Read | No | -| ListBuckets | Bucket | List | No | -| ListMultipartUploads | Object | List | No | -| ListObjects | Object | List | No | -| ListObjectsV2 | Object | List | No | -| ListObjectVersions | Object | List | No | -| ListParts | Object | List | No | -| PostObject | Object | Create | Yes | -| PutBucketAcl | Bucket | Write | No | -| PutBucketCors | Bucket | Write | No | -| PutBucketLifecycleConfiguration | Bucket | Write | No | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | No | -| PutBucketVersioning | Bucket | Write | No | -| PutBucketWebsite | Bucket | Write | No | -| PutObject | Object | Create | Yes | -| PutObjectAcl | Object | Write | Yes | -| PutObjectLegalHold | Object | Write | Yes | -| PutObjectLockConfiguration | Object | Write | Yes | -| PutObjectRetention | Object | Write | Yes | -| PutObjectTagging | Object | Write | Yes | -| RestoreObject | Object | Write | Yes | -| UploadPart | Object | Write | Yes | -| UploadPartCopy | Object | Write | Yes | +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| CompleteMultipartUpload | s3:PutObject | +| CopyObject | s3:PutObject | +| CreateMultipartUpload | s3:PutObject | +| DeleteObjectTagging (with a `versionId` specified) | s3:DeleteObjectVersionTagging | +| DeleteObjectTagging | s3:DeleteObjectTagging | +| PostObject | s3:PutObject | +| PutObject | s3:PutObject | +| PutObjectAcl | s3:PutObjectAcl | +| PutObjectLegalHold | s3:PutObjectLegalHold | +| PutObjectLockConfiguration | s3:PutBucketObjectLockConfiguration | +| PutObjectRetention | s3:PutObjectRetention | +| PutObjectTagging (with a `versionId` specified) | s3:PutObjectVersionTagging | +| PutObjectTagging | s3:PutObjectTagging | +| RestoreObject | s3:RestoreObject | +| UploadPart | s3:PutObject | +| UploadPartCopy | s3:PutObject | ## ObjectStorageObjectsDelete -| Amazon S3 Action | IAM Resource | IAM Action | Authorized | -|---------------------------------|--------------|------------|------------| -| AbortMultipartUpload | Object | Delete | Yes | -| CompleteMultipartUpload | Object | Create | No | -| CopyObject | Object | Write | No | -| CreateBucket | Bucket | Create | No | -| CreateMultipartUpload | Object | Create | No | -| DeleteBucket | Bucket | Delete | No | -| DeleteBucketCors | Bucket | Write | No | -| DeleteBucketLifecycle | Bucket | Write | No | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | No | -| DeleteBucketWebsite | Bucket | Write | No | -| DeleteObject | Object | Delete | Yes | -| DeleteObjects | Object | Delete | Yes | -| DeleteObjectTagging | Object | Write | No | -| GetBucketAcl | Bucket | Read | No | -| GetBucketCors | Bucket | Read | No | -| GetBucketLifecycleConfiguration | Bucket | Read | No | -| GetBucketLocation | Bucket | Read | No | -| GetBucketPolicy | Policy | Read | No | -| GetBucketPolicyStatus | Policy | Read | No | -| GetBucketTagging | Bucket | Read | No | -| GetBucketVersioning | Bucket | Read | No | -| GetBucketWebsite | Bucket | Read | No | -| GetObject | Object | Read | No | -| GetObjectAcl | Object | Read | No | -| GetObjectLegalHold | Object | Read | No | -| GetObjectLockConfiguration | Object | Read | No | -| GetObjectRetention | Object | Read | No | -| GetObjectTagging | Object | Read | No | -| HeadBucket | Bucket | Read | No | -| HeadObject | Object | Read | No | -| ListBuckets | Bucket | List | No | -| ListMultipartUploads | Object | List | No | -| ListObjects | Object | List | No | -| ListObjectsV2 | Object | List | No | -| ListObjectVersions | Object | List | No | -| ListParts | Object | List | No | -| PostObject | Object | Create | No | -| PutBucketAcl | Bucket | Write | No | -| PutBucketCors | Bucket | Write | No | -| PutBucketLifecycleConfiguration | Bucket | Write | No | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | No | -| PutBucketVersioning | Bucket | Write | No | -| PutBucketWebsite | Bucket | Write | No | -| PutObject | Object | Create | No | -| PutObjectAcl | Object | Write | No | -| PutObjectLegalHold | Object | Write | No | -| PutObjectLockConfiguration | Object | Write | No | -| PutObjectRetention | Object | Write | No | -| PutObjectTagging | Object | Write | No | -| RestoreObject | Object | Write | No | -| UploadPart | Object | Write | No | -| UploadPartCopy | Object | Write | No | \ No newline at end of file +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| AbortMultipartUpload | s3:AbortMultipartUpload | +| DeleteObject (with a `versionId` specified) | s3:DeleteObjectVersion | +| DeleteObject | s3:DeleteObject | +| DeleteObjects (with a `versionId` specified) | s3:DeleteObjectVersion | +| DeleteObjects | s3:DeleteObject | \ No newline at end of file