Minimal s3 upload permissions

hi all, just building a prototype with retool which contains an s3 upload. for data visibility reasons i want to limit the permisisons needed as much as possible. i tried ["s3:PutObject", "s3:ListBucket"], which works on the command line with the AWS cli tool, but i get an AccessDenied error in the javascript console for retool.

if i change this to ["s3:*"] it starts working.

does somebody know the actual required minimum s3 permissions for data upload? i explicitly don't want to include s3:GetObject in there if possible.

thanks in advance!

update: this seems to work just fine:


so at least one of "the additional ones" is needed for a "simple" upload. i guess i can live with that :slight_smile: