S3 IAM Bucket Policy for Quay Enterprise
Environment
- Red Hat Quay 2.9
- AWS S3
Issue
Invalid storage configuration error while configuring S3 as registry storage in Quay Enterprise.
- Invalid storage configuration: default: S3ResponseError: 403 Forbidden
- Invalid storage configuration: default: Name or service not known
Resolution
Following is the minimum bucket policy required to use S3 as storage engine for Quay enterprise.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS-account-ID:root"
},
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCORS"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS-account-ID:root"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
Note: bucket-name and AWS-account-ID:root should be replaced accordingly. The AWS-account-ID can be obtained by navigating to individual Users tab under IAM , You can specify the principal as either AWS account ID or IAM user .
- If you are using account ID, follow the following format for principal
"Principal": {"AWS": "arn:aws:iam::AWS-account-ID:root"}
- If you are using IAM user, follow the following format for principal
"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/username" }
Root Cause
Minimum permissions on S3 bucket is required in order for Quay Enterprise to be able to use it as a storage engine.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.