From 061c2a07994d42f622f75bb7ad36d0998e3deb7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20Lindh=C3=A9?= <7773090+lindhe@users.noreply.github.com> Date: Mon, 26 Jan 2026 16:58:17 +0100 Subject: [PATCH 1/2] Document required S3 bucket policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com> --- web/docs/object_stores.md | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/web/docs/object_stores.md b/web/docs/object_stores.md index 433e9b8..04189c5 100644 --- a/web/docs/object_stores.md +++ b/web/docs/object_stores.md @@ -129,6 +129,45 @@ These strategies help you safeguard backups without requiring broad delete permissions, ensuring both security and compliance with minimal operational overhead. +### S3 Lifecycle Policy + +Barman Cloud requires the following permissions in the S3 bucket: + +- [`s3:AbortMultipartUpload`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html) +- [`s3:CreateBucket`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html) +- [`s3:DeleteObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html) +- [`s3:GetObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html) +- [`s3:ListBucket`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html) +- [`s3:PutObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) + +Here's an example of what such a bucket policy may look like: + +```json +{ + "Statement": [ + { + "Action": [ + "s3:AbortMultipartUpload", + "s3:CreateBucket", + "s3:DeleteObject", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ], + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/MaryMajor" + }, + "Resource": [ + "arn:aws:s3:::amzn-s3-demo-bucket1", + "arn:aws:s3:::amzn-s3-demo-bucket1/*" + ], + "Sid": "statement1", + } + ], + "Version":"2012-10-17" +} +``` ### S3-Compatible Storage Providers From 1aa39f2157957224a4c8e7a68161922e6dbc0117 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20Lindh=C3=A9?= <7773090+lindhe@users.noreply.github.com> Date: Thu, 29 Jan 2026 20:17:11 +0100 Subject: [PATCH 2/2] Trim AbortMultipartUpload and CreateBucket from the list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com> --- web/docs/object_stores.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/web/docs/object_stores.md b/web/docs/object_stores.md index 04189c5..275fb6a 100644 --- a/web/docs/object_stores.md +++ b/web/docs/object_stores.md @@ -133,8 +133,6 @@ overhead. Barman Cloud requires the following permissions in the S3 bucket: -- [`s3:AbortMultipartUpload`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html) -- [`s3:CreateBucket`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html) - [`s3:DeleteObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html) - [`s3:GetObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html) - [`s3:ListBucket`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html) @@ -147,8 +145,6 @@ Here's an example of what such a bucket policy may look like: "Statement": [ { "Action": [ - "s3:AbortMultipartUpload", - "s3:CreateBucket", "s3:DeleteObject", "s3:GetObject", "s3:ListBucket",