I just struggled with this for a couple hours so I figured it may be useful to other people who may be new to s3 policies and how rclone interacts with them.
I set up rclone with my bucket in Wasabi. rclone ls
was working just fine but when I tried to copy a single file with rclone copy
I kept getting:
(Bucket name and account ID redacted)
Failed to copy: failed to prepare upload: AccessDenied: User: arn:aws:iam::100000XXXXXX:user/rclone is not authorized to perform: s3:CreateBucket on resource: arn:aws:s3:::BUCKET-NAME
I thought, "that's weird. I'm not attempting to create a bucket." So, not knowing that much about IAM/s3 bucket policies just threw that permission in the bucket policy. IAM/s3 policy pros will already know my issue.
Even weirder though was that restic sync
worked just fine as well. I don't know the underlying issue of why copy
calls for creating a bucket while sync
doesn't but whatever.
After lots of troubleshooting, I realized I needed to create a policy and attach it to my restic
user and that didn't belong in the bucket policy.
To fix the above issue create this policy and attach it to your user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:CreateBucket"
],
"Resource": "*"
}
]
}
Once I had that in place my bucket policy worked as expected. Policy:
{
"Id": "Policy1699131183576",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StmtForRcloneUserPermissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::100000XXXXXX:user/rclone"
},
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::BUCKET-NAME",
"arn:aws:s3:::BUCKET-NAME/*"
]
}
]
}
After fixing that policy the copy
operation worked just fine.
If this is obvious feel free to let me know and I'll just take it down but I figured someone might find it useful.