What permission is needed to use S3 listObjectVersions in AWS?

From Actions, Resources, and Condition Keys for Amazon S3 - AWS Identity and Access Management:

ListBucketVersions: Use the versions subresource to list metadata about all of the versions of objects in a bucket.

I tested this as follows:

  • Created an IAM User
  • Assigned the policy below
  • Ran the command: aws s3api list-object-versions --bucket my-bucket

It worked successfully.

The policy was:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListBucketVersions",
            "Resource": "*"
        }
    ]
}

So, while the naming seems a bit strange (List Object Versions vs List Bucket Versions), it is the correct permission to use.


You need to update your Resource in the policy.

s3:ListBucketVersions is the action that you're looking for.

It should be as follows:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListAllMyBuckets"
         ],
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:ListBucketVersions",
            "s3:GetBucketVersioning"
         ],
         "Resource":"arn:aws:s3:::examplebucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject",
            "s3:GetObjectVersionTagging",
            "s3:GetObjectVersionTorrent",
            "s3:GetObjectVersionAcl",
            "s3:GetObjectVersionForReplication",
            "s3:GetObjectVersion"
         ],
         "Resource":"arn:aws:s3:::examplebucket/*"
      }
   ]
}

Try to change your policy accordingly.