AWS IAM policy change for

[joanfabregat]

This is not really a bug but a warning following the commit b041c03 which introduces a change in the required AWS permissions policy for the account used by schickling/mysql-backup-s3.

Previously schickling/mysql-backup-s3 required an account with only this (very simple) AWS policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::***BUCKET_NAME***/*",
                "arn:aws:s3:::***BUCKET_NAME***"
            ]
        }
    ]
}

Since the addition of the following line the backup fails with the above policy.

dockerfiles/mysql-backup-s3/backup.sh

Line 54 in b041c03

EXISTS_ERR=`aws $AWS_ARGS s3api head-bucket --bucket "$S3_BUCKET" 2>&1 || true`

The reported error message is:

Bucket BUCKET_NAME not found (or owned by someone else), attempting to create
An error occurred (IllegalLocationConstraintException) when calling the CreateBucket operation: The unspecified location constraint is incompatible for the region specific endpoint this request was sent to.

The policy now requires s3:ListBucket in order to execute aws s3api head-bucket (as documented here).

The required minimum AWS permissions policy is now:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject", 
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::***BUCKET_NAME***/*",
                "arn:aws:s3:::***BUCKET_NAME***"
            ]
        }
    ]
}

Justed wanted to give a heads up to other developers running into this problem.

[matiasgarciaisaia]

For anyone around here, I'm proposing to opt-out of the new behaviour via a S3_ENSURE_BUCKET_EXISTS=no environment variable in #153 - opinions welcomed in the PR :)