From 9383cf828b73baae1fe4df7aae9f200220b490bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20Lindh=C3=A9?= <7773090+lindhe@users.noreply.github.com> Date: Mon, 26 Jan 2026 16:58:17 +0100 Subject: [PATCH 1/3] Document required S3 bucket policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com> --- web/docs/object_stores.md | 40 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/web/docs/object_stores.md b/web/docs/object_stores.md index 11b1ff8c..d756872c 100644 --- a/web/docs/object_stores.md +++ b/web/docs/object_stores.md @@ -129,6 +129,46 @@ These strategies help you safeguard backups without requiring broad delete permissions, ensuring both security and compliance with minimal operational overhead. +### S3 Lifecycle Policy + +Barman Cloud requires the following permissions in the S3 bucket: + +- [`s3:AbortMultipartUpload`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html) +- [`s3:CreateBucket`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html) +- [`s3:DeleteObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html) +- [`s3:GetObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html) +- [`s3:ListBucket`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html) +- [`s3:PutObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) + +Here's an example of what such a bucket policy may look like: + +```json +{ + "Statement": [ + { + "Action": [ + "s3:AbortMultipartUpload", + "s3:CreateBucket", + "s3:DeleteObject", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ], + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/MaryMajor" + }, + "Resource": [ + "arn:aws:s3:::amzn-s3-demo-bucket1", + "arn:aws:s3:::amzn-s3-demo-bucket1/*" + ], + "Sid": "statement1", + } + ], + "Version":"2012-10-17" +} +``` + ### S3-Compatible Storage Providers You can use S3-compatible services like **MinIO**, **Linode (Akamai) Object Storage**, From 81efbc50ff1db609c107799b9561a179f8366110 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20Lindh=C3=A9?= <7773090+lindhe@users.noreply.github.com> Date: Thu, 29 Jan 2026 20:17:11 +0100 Subject: [PATCH 2/3] Trim AbortMultipartUpload and CreateBucket from the list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com> --- web/docs/object_stores.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/web/docs/object_stores.md b/web/docs/object_stores.md index d756872c..cfbc67a6 100644 --- a/web/docs/object_stores.md +++ b/web/docs/object_stores.md @@ -133,8 +133,6 @@ overhead. Barman Cloud requires the following permissions in the S3 bucket: -- [`s3:AbortMultipartUpload`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html) -- [`s3:CreateBucket`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html) - [`s3:DeleteObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html) - [`s3:GetObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html) - [`s3:ListBucket`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html) @@ -147,8 +145,6 @@ Here's an example of what such a bucket policy may look like: "Statement": [ { "Action": [ - "s3:AbortMultipartUpload", - "s3:CreateBucket", "s3:DeleteObject", "s3:GetObject", "s3:ListBucket", From 313b5cc2026374ef93c4ed7054f7b23cd82ec3ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20Lindh=C3=A9?= <7773090+lindhe@users.noreply.github.com> Date: Fri, 30 Jan 2026 15:39:55 +0100 Subject: [PATCH 3/3] Add permissions for Multipart uploads MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com> --- web/docs/object_stores.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/web/docs/object_stores.md b/web/docs/object_stores.md index cfbc67a6..773c4b1b 100644 --- a/web/docs/object_stores.md +++ b/web/docs/object_stores.md @@ -133,9 +133,12 @@ overhead. Barman Cloud requires the following permissions in the S3 bucket: +- [`s3:AbortMultipartUpload`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html) - [`s3:DeleteObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html) - [`s3:GetObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html) +- [`s3:ListBucketMultipartUploads`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html) - [`s3:ListBucket`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html) +- [`s3:ListMultipartUploadParts`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html) - [`s3:PutObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) Here's an example of what such a bucket policy may look like: @@ -145,9 +148,12 @@ Here's an example of what such a bucket policy may look like: "Statement": [ { "Action": [ + "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:GetObject", "s3:ListBucket", + "s3:ListBucketMultipartUploads", + "s3:ListMultipartUploadParts", "s3:PutObject" ], "Effect": "Allow",