mpuAndPermissions
Multipart Upload API and Permissions
An individual must have the necessary permissions to use the multipart upload operations. You can use access control lists (ACLs), the bucket policy, or the user policy to grant individuals permissions to perform these operations. The following table lists the required permissions for various multipart upload operations when using ACLs, a bucket policy, or a user policy.
| Action | Required Permissions |
|---|---|
| Initiate Multipart Upload | You must be allowed to perform the s3:PutObject action on an object to initiate multipart upload. The bucket owner can allow other principals to perform the s3:PutObject action. |
| Initiator | Container element that identifies who initiated the multipart upload. If the initiator is an AWS account, this element provides the same information as the Owner element. If the initiator is an IAM User, this element provides the user ARN and display name. |
| Upload Part | You must be allowed to perform the s3:PutObject action on an object to upload a part. The bucket owner must allow the initiator to perform the s3:PutObject action on an object in order for the initiator to upload a part for that object. |
| Upload Part (Copy) | You must be allowed to perform the s3:PutObject action on an object to upload a part. Because you are uploading a part from an existing object, you must be allowed s3:GetObject on the source object. For the initiator to upload a part for an object, the owner of the bucket must allow the initiator to perform the s3:PutObject action on the object. |
| Complete Multipart Upload | You must be allowed to perform the s3:PutObject action on an object to complete a multipart upload. The bucket owner must allow the initiator to perform the s3:PutObject action on an object in order for the initiator to complete a multipart upload for that object. |
| Abort Multipart Upload | You must be allowed to perform the s3:AbortMultipartUpload action to abort a multipart upload. By default, the bucket owner and the initiator of the multipart upload are allowed to perform this action. If the initiator is an IAM user, that user's AWS account is also allowed to abort that multipart upload. In addition to these defaults, the bucket owner can allow other principals to perform the s3:AbortMultipartUpload action on an object. The bucket owner can deny any principal the ability to perform the s3:AbortMultipartUpload action. |
| List Parts | You must be allowed to perform the s3:ListMultipartUploadParts action to list parts in a multipart upload. By default, the bucket owner has permission to list parts for any multipart upload to the bucket. The initiator of the multipart upload has the permission to list parts of the specific multipart upload. If the multipart upload initiator is an IAM user, the AWS account controlling that IAM user also has permission to list parts of that upload. In addition to these defaults, the bucket owner can allow other principals to perform the s3:ListMultipartUploadParts action on an object. The bucket owner can also deny any principal the ability to perform the s3:ListMultipartUploadParts action. |
| List Multipart Uploads | You must be allowed to perform the s3:ListBucketMultipartUploads action on a bucket to list multipart uploads in progress to that bucket. In addition to the default, the bucket owner can allow other principals to perform the s3:ListBucketMultipartUploads action on the bucket. |
| AWS KMS Encrypt and Decrypt related permissions | To perform a multipart upload with encryption using an AWS Key Management Service (AWS KMS) customer master key (CMK), the requester must have permission to the kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:DescribeKey actions on the key. These permissions are required because Amazon S3 must decrypt and read data from the encrypted file parts before it completes the multipart upload. If your IAM user or role is in the same AWS account as the AWS KMS CMK, then you must have these permissions on the key policy. If your IAM user or role belongs to a different account than the CMK, then you must have the permissions on both the key policy and your IAM user or role.> |
For information on the relationship between ACL permissions and permissions in access policies, see Mapping of ACL Permissions and Access Policy Permissions. For information on IAM users, go to Working with Users and Groups.