Hi all,
In the process of finishing up an application and as part of the last few
things prior to launch, I'm looking to firm up my IAM policies. I have an
unversioned S3 bucket that I'm planning to turn versioning on for and set a
lifecycle policy to delete old versions after a set period, and therefore
want to trim my IAM user permissions down to the set necessary for pushing
backups and deleting versions (only).
Right now I have the following permissions for the group on the folder that
WAL-E pushes to:
{
"Sid": "Stmt1390013977000",
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketVersioning",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::appname/backups/*"
]
}
1. What is the list of policies that I need to trim it down to? I would
assume removing *DeleteObject *(and unnecessary stuff like
*GetBucketRequestPayment*) would be as far as it goes.
2. In the case where I need to pull an old version, how does WAL-E
interact with that? i.e. if the current version is deleted manually via
wal-e delete --confirm - how would I go about running a backup-fetch on
older versions? (is that even possible?)
Thanks in advance.
--
You received this message because you are subscribed to the Google Groups
"wal-e" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
