TL;DR - not 100% sure, i always use principal. not sure i have ever tried without principal
and now here is the long answer why i always use principal
with my backup script, there are always two level of polices.
--- user policy - requires MFA login, else no access to any s3 resource
--- bucket policy
if you use rclone.conf, and someone stole it, they would have access to your s3 resources.
however, with this user policy, if someone stole your rclone config file, it would be useless to them.
to access S3, would need client_id and client_secret from the config file.
in addition, the backup script would have to generate an additional on-the-fly MFA token which is not contained in the rclone config file.
then after creating the token, would need to feed that to rclone using
Env Var: RCLONE_S3_SESSION_TOKEN
so this is the user policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
and this s the bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::100000065159:user/zork"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::minimal/*",
"arn:aws:s3:::minimal"
]
}
]
}