From 78888ec8a8cf8194c41adc334a0dee4db4f8d999 Mon Sep 17 00:00:00 2001 From: Bernardo Meurer Costa Date: Thu, 23 Oct 2025 06:02:58 +0000 Subject: [PATCH] docs: add s3:ListBucket to S3 read permissions The s3:ListBucket permission is required for read operations on S3 binary caches, not just for writes. Without this permission, users get "Access Denied" errors when running nix-build. --- src/libstore/s3-binary-cache-store.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/libstore/s3-binary-cache-store.md b/src/libstore/s3-binary-cache-store.md index daa41defd..0b0c26919 100644 --- a/src/libstore/s3-binary-cache-store.md +++ b/src/libstore/s3-binary-cache-store.md @@ -27,7 +27,8 @@ like the following to be accessible: "Sid": "AllowDirectReads", "Action": [ "s3:GetObject", - "s3:GetBucketLocation" + "s3:GetBucketLocation", + "s3:ListBucket" ], "Effect": "Allow", "Resource": [ @@ -51,7 +52,7 @@ Consult the documentation linked above for further details. ### Authenticated reads to your S3 binary cache -Your bucket will need a bucket policy allowing the desired users to perform the `s3:GetObject` and `s3:GetBucketLocation` action on all objects in the bucket. +Your bucket will need a bucket policy allowing the desired users to perform the `s3:GetObject`, `s3:GetBucketLocation`, and `s3:ListBucket` actions on all objects in the bucket. The [anonymous policy given above](#anonymous-reads-to-your-s3-compatible-binary-cache) can be updated to have a restricted `Principal` to support this. ### Authenticated writes to your S3-compatible binary cache