Hi, I'm following the instructions on this page for setting up the roles for CRR: https://docs.aws.amazon.com/AmazonS3/latest/dev/setting-repl-config-perm-overview.html
I have a role (we'll call it ReplRole) with the exact trust policy listed on that page, and an access policy that looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags"
],
"Resource": [
"arn:aws:s3:::our-s3-bucket-prefix-*",
"arn:aws:s3:::our-s3-bucket-prefix-*/*"
]
}
]
}
It doesn't look exactly like the policy provided, but the main difference is that I use wildcards for the resources specified. I also group the actions together. But if I understand IAM access policies correctly, this should suffice for the purpose.
S3 allows me to create the Cross-Region Replication rule, but then I get this error message:
The CRR rule is saved, but it might not work.
There was an error with setting up the IAM policy for the selected IAM role GobsCrossRegionReplicationRole. Ensure that you have set up the correct policy, or select another role.
What did I do wrong?
