From 0f4427b3c3f31c08d85c9f38d83f8734d62e860f Mon Sep 17 00:00:00 2001 From: Richard Scothern Date: Thu, 31 Mar 2016 14:34:59 -0700 Subject: [PATCH 1/2] Document required IAM permissions for S3 storage driver. Signed-off-by: Richard Scothern --- docs/storage-drivers/s3.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/docs/storage-drivers/s3.md b/docs/storage-drivers/s3.md index 86c3c8c1..8f8dce70 100644 --- a/docs/storage-drivers/s3.md +++ b/docs/storage-drivers/s3.md @@ -187,6 +187,42 @@ An implementation of the `storagedriver.StorageDriver` interface which uses Amaz `storageclass`: (optional) The storage class applied to each registry file. Defaults to STANDARD. Valid options are STANDARD and REDUCED_REDUNDANCY. +## S3 permission scopes + +The following IAM permissions are required by the registry for push and pull. See [the S3 policy documentation](http://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html) for more details. + +``` + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListAllMyBuckets" + ], + "Resource": "arn:aws:s3:::*" + }, + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:ListBucketMultipartUploads", + ], + "Resource": "arn:aws:s3:::mybucket" + }, + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:DeleteObject", + "s3:ListMultipartUploadParts", + "s3:AbortMultipartUpload" + ], + "Resource": "arn:aws:s3:::mybucket/*" + } +] +``` + # CloudFront as Middleware with S3 backend ## Use Case From e4817cfc94befcfae80a7568d2c3245477e946e5 Mon Sep 17 00:00:00 2001 From: Richard Scothern Date: Wed, 6 Apr 2016 14:22:08 -0700 Subject: [PATCH 2/2] Remove ListAllMyBuckets from the S3 permission scope. Signed-off-by: Richard Scothern --- docs/storage-drivers/s3.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/docs/storage-drivers/s3.md b/docs/storage-drivers/s3.md index 8f8dce70..2a7aa9f5 100644 --- a/docs/storage-drivers/s3.md +++ b/docs/storage-drivers/s3.md @@ -193,13 +193,6 @@ The following IAM permissions are required by the registry for push and pull. S ``` "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:ListAllMyBuckets" - ], - "Resource": "arn:aws:s3:::*" - }, { "Effect": "Allow", "Action": [