so I have read the docs on required s3 permissions and done some testing with S3 IAM users who are supposed to be restricted to a subfolder within a bucket.
It would be super useful if rclone could work with permissions restricted to a subfolder within a bucket, say with a policy such as the following:
Many thanks Nick, the -vv --dump bodies flags revealed the problem which was easily fixed by changing the policy
The thing is that the previous policy which I posted above does not allow ListBucket action in sub-sub-folders, which turns out to be necessary by looking at the --dump bodies output. So simply expanding the prefix condition to SUBFOLDER_NAME/* as opposed to SUBFOLDER_NAME/ solved the problem.
The only thing I can still see that Rclone is doing is that the first call it does is HEAD /BUCKET_NAME/SUBFOLDER_NAME
This call is failing with 403 Forbidden since the head action is only allowed on /BUCKET_NAME/SUBFOLDER_NAME/*
It doesn’t seem to affect the rest of the command processing, so I am not sure if anything needs to be looked at there.