What is the minimal IAM policy for this plugin?

[iainelder]

I am using the verdaccio-s3-storage plugin on an EC2 instance to persist verdaccio's application data to an S3 bucket.

Through trial and error, and finally reading the source code, I have an IAM policy that the plugin appears to work with. See the YAML CloudFormation fragment below for a precise definition.

A summary of my findings:

• The getObject, putObject, headObject, and deleteObject SDK methods require their direct cognate actions GetObject, PutObject, HeadObject, and DeleteObject on all keys.
• The listObjectsV2 SDK method requires the ListBucket action on the bucket.
• The put SDK method requires the ListMultipartUploadParts and AbortMultipartUpload actions on all keys, and the ListBucketMultipartUploads action on the bucket.

Have I missed something?

Could you document the correct answer somewhere?

      Policies:
        - PolicyName: verdaccio-storage
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:PutObject
                  - s3:DeleteObject
                  - s3:HeadObject
                  - s3:ListMultipartUploadParts
                  - s3:AbortMultipartUpload
                Resource:
                  - !Sub "arn:aws:s3:::${VerdaccioStorageBucket}/*"
              - Effect: Allow
                Action:
                  - s3:ListBucketMultipartUploads
                  - s3:ListBucket
                Resource:
                  - !Sub "arn:aws:s3:::${VerdaccioStorageBucket}"

[mattemoore]

This HAS HAS HAS to get into the proper documentation. Without this posting we never would have gotten this plugin to work.

[TrejGun]

verdaccio/website#6 (comment)