Minimal s3 upload permissions

hi all, just building a prototype with retool which contains an s3 upload. for data visibility reasons i want to limit the permisisons needed as much as possible. i tried ["s3:PutObject", "s3:ListBucket"], which works on the command line with the AWS cli tool, but i get an AccessDenied error in the javascript console for retool.

if i change this to ["s3:*"] it starts working.

does somebody know the actual required minimum s3 permissions for data upload? i explicitly don't want to include s3:GetObject in there if possible.

thanks in advance!

update: this seems to work just fine:

      "s3:ListBucket",
      "s3:GetBucketAcl",
      "s3:GetBucketCORS",
      "s3:GetBucketLocation",
      "s3:GetBucketLogging",
      "s3:GetBucketNotification",
      "s3:PutObject",
      "s3:PutObjectAcl",
      "s3:PutObjectTagging",

so at least one of "the additional ones" is needed for a "simple" upload. i guess i can live with that