Document minimal AWS S3 Policy

[bedla]

Hi,
based on discussion at #786 I have created this PR.
Please take a look.
Thx
Ivos

[kgrando]

Missing a comma here?

[kgrando]

We use Barman with the cnpg-i plugin. In our PoC, Rook Ceph RGW is used as the object store.

In this setup, I had to add s3:PutObject on the bucket itself, not only on the object scope. Without this, multipart uploads fail, while WAL file archiving still works. The error looks like this:

ERROR: Backup failed uploading data (An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: None)

I am not sure if this is specific to the RGW implementation, but it might be worth mentioning in the documentation.
Another possible fix is to include both resources in the same allow statement:

"Resource": [
  "arn:aws:s3:::${BUCKET_NAME}",
  "arn:aws:s3:::${BUCKET_NAME}/*"
]

The policy I currently use:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BucketOperations",
      "Effect": "Allow",
      "Principal": {
        "AWS": [ "arn:aws:iam:::user/${BUCKET_NAME}" ]
      },
      "Action": [
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Resource": [ "arn:aws:s3:::${BUCKET_NAME}" ]
    },
    {
      "Sid": "ObjectOperations",
      "Effect": "Allow",
      "Principal": {
        "AWS": [ "arn:aws:iam:::user/${BUCKET_NAME}" ]
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [ "arn:aws:s3:::${BUCKET_NAME}/*" ]
    }
  ]
}

I also create the bucket beforehand, so the s3:CreateBucket permission is not required when following least privilege.