Configuring an IAM role for S3 Batch Replication
Because Amazon S3 Batch Replication is a type of Batch Operations job, you must create an AWS Identity and Access Management (IAM) role to grant Batch Operations permissions to perform actions on your behalf. You also must attach a Batch Replication IAM policy to the Batch Operations IAM role.
Use the following procedures to create a policy and an IAM role that give Batch Operations permission to initiate a Batch Replication job.
To create a policy for Batch Replication
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
Under Access management, choose Policies.
-
Choose Create policy.
-
On the Specify permissions page, choose JSON.
-
Insert one of the following policies, depending on whether your manifest is generated by Amazon S3 or whether you are supplying your own manifest. For more information about manifests, see Specifying a manifest for a Batch Replication job.
Before using these policies, replace the
user input placeholdersNote
Your IAM role for Batch Replication needs different permissions, depending on whether you are generating a manifest or supplying one, so make sure that you choose the appropriate policy from the following examples.
Policy if using and storing an Amazon S3 generated manifest
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "s3:InitiateReplication" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-source-bucket/*" ] }, { "Action":[ "s3:GetReplicationConfiguration", "s3:PutInventoryConfiguration" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-source-bucket" ] }, { "Action":[ "s3:GetObject", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*", "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] } ] }Policy if using a user-supplied manifest
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "s3:InitiateReplication" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-source-bucket/*" ] }, { "Action":[ "s3:GetObject", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] } -
Choose Next.
-
Specify a name for the policy, and then choose Create policy.
To create an IAM role for Batch Replication
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
Under Access management, choose Roles.
-
Choose Create role.
-
Choose AWS service as the type of trusted entity. In the Use case section, choose S3 as the service, and S3 Batch Operations as the use case.
-
Choose Next. The Add permissions page appears. In the search box, search for the policy that you created in the preceding procedure. Select the checkbox next to the policy name, then choose Next.
-
On the Name, review, and create page, specify a name for your IAM role.
-
In the Step 1: Trust identities section, verify that your IAM role is using the following trust policy:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"batchoperations.s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] } -
In the Step 2: Add permissions section, verify that your IAM role is using the policy that you created earlier.
-
Choose Create role.
