Configuring an IAM role for S3 Batch Replication - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring an IAM role for S3 Batch Replication

Because Amazon S3 Batch Replication is a type of Batch Operations job, you must create an Amazon Identity and Access Management (IAM) role to grant Batch Operations permissions to perform actions on your behalf. You also must attach a Batch Replication IAM policy to the Batch Operations IAM role.

Use the following procedures to create a policy and an IAM role that give Batch Operations permission to initiate a Batch Replication job.

To create a policy for Batch Replication
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. Under Access management, choose Policies.

  3. Choose Create policy.

  4. On the Specify permissions page, choose JSON.

  5. Insert one of the following policies, depending on whether your manifest is generated by Amazon S3 or whether you are supplying your own manifest. For more information about manifests, see Specifying a manifest for a Batch Replication job.

    Before using these policies, replace the user input placeholders in the following policies with the names of your replication source bucket, manifest bucket, and completion report bucket.

    Note

    Your IAM role for Batch Replication needs different permissions, depending on whether you are generating a manifest or supplying one, so make sure that you choose the appropriate policy from the following examples.

    Policy if using and storing an Amazon S3 generated manifest

    { "Version":"2012-10-17", "Statement":[ { "Action":[ "s3:InitiateReplication" ], "Effect":"Allow", "Resource":[ "arn:aws-cn:s3:::amzn-s3-demo-source-bucket/*" ] }, { "Action":[ "s3:GetReplicationConfiguration", "s3:PutInventoryConfiguration" ], "Effect":"Allow", "Resource":[ "arn:aws-cn:s3:::amzn-s3-demo-source-bucket" ] }, { "Action":[ "s3:GetObject", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws-cn:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws-cn:s3:::amzn-s3-demo-completion-report-bucket/*", "arn:aws-cn:s3:::amzn-s3-demo-manifest-bucket/*" ] } ] }

    Policy if using a user-supplied manifest

    { "Version":"2012-10-17", "Statement":[ { "Action":[ "s3:InitiateReplication" ], "Effect":"Allow", "Resource":[ "arn:aws-cn:s3:::amzn-s3-demo-source-bucket/*" ] }, { "Action":[ "s3:GetObject", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws-cn:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws-cn:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
  6. Choose Next.

  7. Specify a name for the policy, and then choose Create policy.

To create an IAM role for Batch Replication
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. Under Access management, choose Roles.

  3. Choose Create role.

  4. Choose Amazon Web Services service as the type of trusted entity. In the Use case section, choose S3 as the service, and S3 Batch Operations as the use case.

  5. Choose Next. The Add permissions page appears. In the search box, search for the policy that you created in the preceding procedure. Select the checkbox next to the policy name, then choose Next.

  6. On the Name, review, and create page, specify a name for your IAM role.

  7. In the Step 1: Trust identities section, verify that your IAM role is using the following trust policy:

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"batchoperations.s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }
  8. In the Step 2: Add permissions section, verify that your IAM role is using the policy that you created earlier.

  9. Choose Create role.