website/docs: add s3 perms (#19579)

* Add s3 perms * Update website/docs/sys-mgmt/ops/storage-s3.md Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> --------- Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2026-05-05 06:32:15 +02:00 · 2026-01-19 14:29:08 +00:00
parent c606940116
commit 0058146f7d
2 changed files with 47 additions and 0 deletions
--- a/website/docs/sys-mgmt/ops/storage-s3.md
+++ b/website/docs/sys-mgmt/ops/storage-s3.md
@@ -28,6 +28,51 @@ If using AWS S3, you can omit `--endpoint-url`, but you may need to specify `--r

 The bucket ACL is set to private. Depending on your provider you can alternatively disable ACLs and rely on bucket policies.

+### Bucket policy
+
+The following actions need to be allowed on the bucket:
+
+```text
+ListObjectsV2
+GetObject
+PutObject
+CreateMultipartUpload
+CompleteMultipartUpload
+AbortMultipartUpload
+DeleteObject
+HeadObject
+```
+
+The following policy can be used in AWS:
+
+```json IAM policy
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "ListObjectsInBucket",
+            "Effect": "Allow",
+            "Action": ["s3:ListBucket"],
+            "Resource": "arn:aws:s3:::<bucket_name>"
+        },
+        {
+            "Sid": "ObjectLevelAccess",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:PutObject",
+                "s3:DeleteObject",
+                "s3:AbortMultipartUpload",
+                "s3:CreateMultipartUpload",
+                "s3:CompleteMultipartUpload",
+                "s3:HeadObject"
+            ],
+            "Resource": "arn:aws:s3:::<bucket_name>/*"
+        }
+    ]
+}
+```
+
 ### CORS policy

 Apply a CORS policy to the bucket, allowing the authentik web interface to access images directly.