What permission is needed to use S3 listObjectVersions in AWS?
From Actions, Resources, and Condition Keys for Amazon S3 - AWS Identity and Access Management:
ListBucketVersions: Use the versions subresource to list metadata about all of the versions of objects in a bucket.
I tested this as follows:
- Created an IAM User
- Assigned the policy below
- Ran the command:
aws s3api list-object-versions --bucket my-bucket
It worked successfully.
The policy was:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucketVersions",
"Resource": "*"
}
]
}
So, while the naming seems a bit strange (List Object Versions vs List Bucket Versions), it is the correct permission to use.
You need to update your Resource
in the policy.
s3:ListBucketVersions
is the action that you're looking for.
It should be as follows:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketVersions",
"s3:GetBucketVersioning"
],
"Resource":"arn:aws:s3:::examplebucket"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionTorrent",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersion"
],
"Resource":"arn:aws:s3:::examplebucket/*"
}
]
}
Try to change your policy accordingly.