Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrictive IAM policy in docs caused error #593

Open
airblade opened this issue Jun 25, 2024 · 0 comments
Open

Restrictive IAM policy in docs caused error #593

airblade opened this issue Jun 25, 2024 · 0 comments

Comments

@airblade
Copy link

Hello!

Thank you for this wonderful tool.

I set up a restrictive IAM policy as per the docs but when I started litestream I saw these Access Denied errors from S3:

$ litestream replicate
time=2024-06-25T09:59:31.773Z level=INFO msg=litestream version=v0.3.13
time=2024-06-25T09:59:31.774Z level=INFO msg="initialized db" path=/var/www/example/storage/production.sqlite3
time=2024-06-25T09:59:31.774Z level=INFO msg="replicating to" name=s3 type=s3 sync-interval=1s bucket=example-backups path=app region=eu-west-2 endpoint=""
time=2024-06-25T09:59:32.928Z level=INFO msg="write snapshot" db=/var/www/example/storage/production.sqlite3 replica=s3 position=01fddf43eeeec9a8/00000001:4152
time=2024-06-25T09:59:32.962Z level=ERROR msg="monitor error" db=/var/www/example/storage/production.sqlite3 replica=s3 error="AccessDenied: Access Denied\n\tstatus code: 403, request id: 3P8G16JJVW7SM3J5, host id: Qi1/C5P6/wVjnC2f/rFLgPT5pJ+uFB+3wG3ujrdfniTnUg4Ba7BjyiOJ3wN74KtraetrioVQl28="
time=2024-06-25T09:59:33.808Z level=INFO msg="write snapshot" db=/var/www/example/storage/production.sqlite3 replica=s3 position=01fddf43eeeec9a8/00000001:4152
time=2024-06-25T09:59:33.856Z level=ERROR msg="monitor error" db=/var/www/example/storage/production.sqlite3 replica=s3 error="AccessDenied: Access Denied\n\tstatus code: 403, request id: NHV63T0BNM601X3H, host id: ai52cuOUg0An2KNthN2lOmVEhuVOIWBD1yC55yJyz/HDCUw90fwV/eszVRXu9AHhnSArwe4htzo="
time=2024-06-25T09:59:34.896Z level=INFO msg="write snapshot" db=/var/www/example/storage/production.sqlite3 replica=s3 position=01fddf43eeeec9a8/00000001:4152
time=2024-06-25T09:59:34.953Z level=INFO msg="snapshot written" db=/var/www/example/storage/production.sqlite3 replica=s3 position=01fddf43eeeec9a8/00000001:4152 elapsed=57.50852ms sz=10519
time=2024-06-25T09:59:35.015Z level=INFO msg="write wal segment" db=/var/www/example/storage/production.sqlite3 replica=s3 position=01fddf43eeeec9a8/00000001:0
time=2024-06-25T09:59:35.052Z level=INFO msg="wal segment written" db=/var/www/example/storage/production.sqlite3 replica=s3 position=01fddf43eeeec9a8/00000001:0 elapsed=36.676667ms sz=4152

The snapshot and WAL files seemed to be pushed to S3 correctly, as far as I could tell.

Anyway, when I adjusted the policy and restarted litestream, there were no more errors:

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "s3:GetBucketLocation",
                  "s3:ListBucket"
              ],
              "Resource": "arn:aws:s3:::<BUCKET>"
          },
          {
              "Effect": "Allow",
              "Action": [
                  "s3:PutObject",
                  "s3:DeleteObject",
                  "s3:GetObject"
              ],
              "Resource": [
+                  "arn:aws:s3:::<BUCKET>/*"
-                  "arn:aws:s3:::<BUCKET>/*",
-                  "arn:aws:s3:::<BUCKET>"
              ]
          }
      ]
  }

Although I don't understand why removing a resource would prevent access-denied errors, I think that specifying the bucket as a resource for the object actions (put/delete/get) doesn't make sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant