From d6b8e27086d16089a56ee933755a1b8b39b3a63f Mon Sep 17 00:00:00 2001 From: Andrew Date: Wed, 6 Dec 2017 06:31:31 +1100 Subject: [PATCH] website: Document required S3 IAM actions for S3 backend --- website/docs/backends/types/s3.html.md | 29 ++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/website/docs/backends/types/s3.html.md b/website/docs/backends/types/s3.html.md index 893fb11a8..13049c2c3 100644 --- a/website/docs/backends/types/s3.html.md +++ b/website/docs/backends/types/s3.html.md @@ -38,6 +38,35 @@ Terraform state is written to the key `path/to/my/key`. Note that for the access credentials we recommend using a [partial configuration](/docs/backends/config.html). +### S3 Bucket Permissions + +Terraform will need the following AWS IAM permissions on +the target backend bucket: + +* `s3:ListBucket` on `arn:aws:s3:::mybucket` +* `s3:GetObject` on `arn:aws:s3:::mybucket/path/to/my/key` +* `s3:PutObject` on `arn:aws:s3:::mybucket/path/to/my/key` + +This is seen in the following AWS IAM Statement: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:ListBucket", + "Resource": "arn:aws:s3:::mybucket" + }, + { + "Effect": "Allow", + "Action": ["s3:GetObject", "s3:PutObject"], + "Resource": "arn:aws:s3:::mybucket/path/to/my/key" + } + ] +} +``` + ## Using the S3 remote state To make use of the S3 remote state we can use the