I can't seem to figure out what permissions I must add to my policy to allow an IAM user access to view/download previous versions of an object.
Currently, my policy contains the following permissions. Once logged on the AWS console website, the user can indeed see the full history of previous versions for all objects in the bucket:
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:ListBucketVersions",
"s3:GetObjectTagging",
"s3:PutObjectTagging"]
However, when clicking on one of objects to see the previous versions, opening or downloading the file fails, and an "Access denied" error is shown.
I also found this API call, but it also only asks for the "s3:ListBucketVersions" permission to be set, which is the case.
What, in addition, is needed to perform "get" or "put" for previous versions, not just the latest version?
This is the policy I am using. You need the GetObject, GetObjectVersion (and Put actions too) for the objects and ListBucket, ListBucketVersion for the bucket.
- PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- s3:GetObject
- s3:GetObjectVersion
Effect: 'Allow'
Resource:
- !Sub ${ResourcesBucket.Arn}/*
- Action:
- s3:ListBucket
- s3:ListBucketVersions
Effect: 'Allow'
Resource:
- !GetAtt ResourcesBucket.Arn