IAM configuration to access jgit on S3

Question

I am trying to create IAM permissions so jgit can access a directory in one of my buckets.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::<mybucket>/<mydir>/*"]   
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::<mybucket>/<mydir>"]
    }
  ]  
}

Unfortunately it throws an error. I am not sure what other allow actions need to happen for this to work. (A little new at IAM).

Caused by: java.io.IOException: Reading of '<mydir>/packed-refs' failed: 403 Forbidden
    at org.eclipse.jgit.transport.AmazonS3.error(AmazonS3.java:519)
    at org.eclipse.jgit.transport.AmazonS3.get(AmazonS3.java:289)
    at org.eclipse.jgit.transport.TransportAmazonS3$DatabaseS3.open(TransportAmazonS3.java:284)
    at org.eclipse.jgit.transport.WalkRemoteObjectDatabase.openReader(WalkRemoteObjectDatabase.java:365)
    at org.eclipse.jgit.transport.WalkRemoteObjectDatabase.readPackedRefs(WalkRemoteObjectDatabase.java:423)
    ... 13 more
Caused by: java.io.IOException:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>...</RequestId><HostId>...</HostId></Error>
    at org.eclipse.jgit.transport.AmazonS3.error(AmazonS3.java:538)
    ... 17 more

The 403 Forbidden is obviously the error but not sure what needs to be added to the IAM. Any ideas?

[Should have added, too, that I tried this out in the policy simulator and it appeared to work there.]

Answer 1

The "403" error may simply mean that the key <mydir>/packed-refs doesn't exist. According to https://forums.aws.amazon.com/thread.jspa?threadID=56531:

Amazon S3 will return an AccessDenied error when a nonexistent key is requested and the requester is not allowed to list the contents of the bucket.

If you're pushing for the first time, that folder might not exist, and I'm guessing you would need ListBucket privileges on the parent directory to get the proper NoSuchKey response. Try changing that first statement to:

{
  "Effect": "Allow",
  "Action": ["s3:ListBucket"],
  "Resource": ["arn:aws:s3:::<mybucket>/*"]   
}

I also noticed that jgit push s3 refs/heads/master worked when jgit push s3 master did not.

To future folk: if all you want to do is to set up a git repos bucket with its own user, the following security policy seems to be good enough:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucketname>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucketname>/*"
            ]
        }
    ]
}