Check IAM permissions beforehand. Let non-essential actions fail due to lack of permissions

[tm-kn]

No description provided.

[nealtodd]

For reference, at the time of writing the minimum policies I needed to run through buckup without error were (in order of buckup needing them):

iam:ListAccountAliases
iam:GetUser
iam:CreateUser
iam:CreateAccessKey
iam:PutUserPolicy
s3:PutBucketPolicy

(If there are any errors due to lacking policies after ListAccountAliases the bucket name will be created but can't be used again on another run of buckup.)

[tm-kn]

The following policy seems to make it work. We probably need to document some better setup with restricting by bucket name, user name, etc.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowBuckup",
            "Effect": "Allow",
            "Action": [
                "iam:ListAccountAliases",
                "s3:PutBucketPolicy",
                "s3:CreateBucket",
                "iam:GetUser",
                "iam:CreateUser",
                "s3:PutBucketCORS",
                "s3:PutBucketVersioning",
                "iam:CreateAccessKey"
            ],
            "Resource": "*"
        }
    ]
}

[tm-kn]

Note: Tom suggests that we can try to check policies with https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulatePrincipalPolicy.html. That's probably a nice feature to have before stable release.

[thibaudcolas]

This would be a very nice addition, especially since if you don’t set up the IAM permissions the bucket creation will succeed, meaning you have to go in the AWS console / use the AWS CLI to clean up after yourself before being able to use buckup again (which somewhat defeats the point of using buckup).