Help with AWS IAM policy

so what is your current iam bucket policy, what are you using for the principal?

I'm not using a PRINCIPAL statement. The policy is attached to the user (who is already the PRINCIPAL so maybe that's why the policy editor is rejecting the PRINCIPAL statement?)

Using s3-no-check-bucket does drop the errors. But if you then try to upload files, the errors show up again.

Good

Run the command with -vv --dump headers to work out which operation is causing the problem then add that operation to the ACL. Repeat until working!

Unfortunately, the output is very similar to the ones I pasted earlier in the thread. Forbidden (404) followed by access denied messages.

I can't help but think that the issue is with the policy and how it's attached. The policy is attached to the iam user to grant the user permissions on the bucket. It is not attached to the bucket (or any other aws object). Does rclone expect the policy to be attached to a different object other than the IAM user? (Not sure why that would make a difference since the user is granted access to the bucket with the user attached policy but maybe something about how rclone access the bucket makes a difference.)

what is i do is

-- for user iam policy, just things related to user.
in my case, users need to use a MFA token, to create an on-the-fly, time limited, session token.
and that temporary session token is used by rclone to access s3.
so i could give you my rclone.conf and you could not access my data.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

--- for each bucket, locked down using the bucket policy i shared up above.
usually one iam user per bucket.

If you can show the request that caused the error then we can work out what policy you need.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.