It’s a good idea to set an IAM access policy for anything that accesses AWS using your account details, I wanted to do this for s3cmd syncing a local directory to an s3 bucket. There are a number of posts on setting up the IAM policy for s3cmd already but none of the examples worked, I got a 403 permission denied error when running the s3cmd sync command.
After some digging it turns out that s3cmd now tries to set an ACL on the files it uploads, and this needs to be specifically allowed in the ACL. I’m guessing that it didn’t in the past, hence the now incorrect IAM advice. So here is the new working IAM policy, complete with the s3:PutObjectAcl permission added:
(See jrantil’s comment below on wether s3:ListAllMyBuckets is needed in this instance)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "Stmt1397834652000", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:ListAllMyBuckets" | |
| ], | |
| "Resource": [ | |
| "arn:aws:s3:::*" | |
| ] | |
| }, | |
| { | |
| "Sid": "Stmt1397834745000", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:ListBucket", | |
| "s3:PutObject", | |
| "s3:PutObjectAcl" | |
| ], | |
| "Resource": [ | |
| "arn:aws:s3:::bucketname", | |
| "arn:aws:s3:::bucketname/*" | |
| ] | |
| } | |
| ] | |
| } |
Will writes 
Hm, just making sure here, why is listing all buckets required?
I tested syncing and did not need the permission to list buckets.
The last time I did work with s3cmd the –configure option did need this permission to work correctly.
It’s so long ago that I forget. It may be that s3cmd sync requires it, but if you test it and find that it isn’t I’d be happy to know.
Hi,
Work perfectly for me. thanks a lots.
This works great with `aws s3 sync` as well!
I can confirm that the policy without s3:ListAllMyBuckets works for aws s3 sync.
You’ll want to add “s3:DeleteObject” to be able to delete files, e.g.: when using `–delete-removed –force` to keep the destination bucket clean.
The minimum which actually worked for me using aws s3 sync –delete
– PolicyName: “s3SyncTaskPolicy”
PolicyDocument:
Version: 2012-10-17
Statement:
– Effect: Allow
Action:
– s3:DeleteObject
– s3:ListBucket
– s3:GetObject
– s3:GetBucketLocation
– s3:PutObject
– s3:PutObjectAcl
Resource:
– “arn:aws:s3:::bucketname”
– “arn:aws:s3:::bucketname/*”