AWS S3 Request Fails with credentials obtained from TVM Client

Question

In my iOS app I recently changed the AWS iOS Library to 1.7.0 (from 1.6.0) which supports resuming/pausing multipart upload. As a result all file uploads greater than 5MB fails which uses temporary AWS credentials obtained from TVM. (Original credentials work without any problem). The error being HTTP: 403, S3 Error Code: AccessDenied.

The request that fails is this one: GET https://s3.amazonaws.com/<my.bucket.name>/?uploads I am not sure what this request is for or why there is a permission issue because my TVM get_federation_token has GET and PUT access.

{
"Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["s3:PutObject","s3:GetObject"],
      "Resource": ["arn:aws:s3:::my.bucket.name/*"],
      "Effect": "Allow"
    }
  ]
}

The uploads are happening to the location /<my.bucket.name>/. Any idea what is going on?

Thanks

Answer 1

UPDATE The initial policy I posted was incorrect, s3:ListBucketMultipartUploads is only effective on the bucket.

The S3TransferManager uses multipart uploads for files over 5MB, so you will need to include operations necessary for multipart uploads in your TVM policy.

{
"Version": "2012-10-17",
  "Statement": [
    {
      "Action":"s3:ListBucketMultipartUploads",
      "Resource":"arn:aws:s3:::my.bucket.name",
      "Effect": "Allow"
    },
    {
      "Action": ["s3:PutObject","s3:GetObject","s3:ListMultipartUploadParts","s3:AbortMultipartUpload"],
      "Resource": ["arn:aws:s3:::my.bucket.name/*"],
      "Effect": "Allow"
    }
  ]
}