diff --git a/docs/storage-drivers/s3.md b/docs/storage-drivers/s3.md index 86c3c8c1..8f8dce70 100644 --- a/docs/storage-drivers/s3.md +++ b/docs/storage-drivers/s3.md @@ -187,6 +187,42 @@ An implementation of the `storagedriver.StorageDriver` interface which uses Amaz `storageclass`: (optional) The storage class applied to each registry file. Defaults to STANDARD. Valid options are STANDARD and REDUCED_REDUNDANCY. +## S3 permission scopes + +The following IAM permissions are required by the registry for push and pull. See [the S3 policy documentation](http://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html) for more details. + +``` + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListAllMyBuckets" + ], + "Resource": "arn:aws:s3:::*" + }, + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:ListBucketMultipartUploads", + ], + "Resource": "arn:aws:s3:::mybucket" + }, + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:DeleteObject", + "s3:ListMultipartUploadParts", + "s3:AbortMultipartUpload" + ], + "Resource": "arn:aws:s3:::mybucket/*" + } +] +``` + # CloudFront as Middleware with S3 backend ## Use Case