I have a s3 bucket and configured lifecycle management rule, need to be able to restore the objects from Glacier. In order to do that, I have an EC2 which has an IAM role attached to it. The IAM policy looks like this:
s3:SetObjectAcl
s3: GetObject
s3: ListBucket
s3: GetBucketAcl
When I run the restore command (something like this):
aws s3ai restore-object --bucket [and the rest of the command here]
I get a permission error saying I need to add s3:restoreobject to the policy attached to my IAM role. This bucket I am running the restore on has an inventory list that is being kept in another bucket. Can someone please shed some light on this and let me know what the policy should look like? Thank you in advance
You’ll need to update your IAM policy to include the s3:RestoreObject permission explicitly, since restoring from Glacier requires it. Try adding the following to your IAM policy:
{
"Effect": "Allow",
"Action": [
"s3:RestoreObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:SetObjectAcl"
],
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
]
}
After updating the policy, attach it to your IAM role, and then try running the aws s3api restore-object command again. This should work for initiating restores from Glacier.