Clarify what IAM permissions should be used for buckets in AWS

Problem to solve

Our documentation is a bit controversial when it comes to setting for object storage with AWS:

the page IAM Permissions only lists s3:PutObject,s3:GetObject, s3:DeleteObject
the page uploading backups to AWS is missing s3:DeleteObject but has a lot of other permissions like s3:AbortMultipartUpload, s3:GetBucketAcl, s3:GetBucketLocation, s3:GetObjectAcl, s3:ListBucketMultipartUploads, s3:PutObjectAcl, s3:GetBucketLocation, s3:ListAllMyBuckets, s3:ListBucket
the page Create an IAM Policy mentions s3:PutObject, s3:GetObject, s3:DeleteObject, s3:PutObjectAcl, s3:ListBucket, s3:AbortMultipartUpload, s3:ListMultipartUploadParts, s3:ListBucketMultipartUploads

Proposal

It would be great to clarify what is required set of permissions needed to use GitLab with AWS object storage and make it uniform in the docs.

Further details

This issue is inspired by internal Zendesk ticket. In the ticket, the customer experienced the following error when trying to use uploads with the object storage:

Excon::Error::Forbidden (Expected(200) <=> Actual(403 Forbidden)
excon.error.response
  :body          => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>some_request_id</RequestId><HostId>encrypted_host_id</HostId></Error>"
  ...
  :status_line   => "HTTP/1.1 403 Forbidden\r\n"):

Setting permissions according to the doc Create an IAM Policy helped to fix it.

Edited Nov 17, 2022 by Alexandr Tanayno