diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 2930146326da0..44af26bed38e1 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -324,7 +324,12 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) { p.Statement = append(p.Statement, &Statement{ Effect: StatementEffectAllow, - Action: stringorslice.Of("s3:GetBucketLocation", "s3:GetEncryptionConfiguration", "s3:ListBucket"), + Action: stringorslice.Of( + "s3:GetBucketLocation", + "s3:GetEncryptionConfiguration", + "s3:ListBucket", + "s3:ListBucketVersions", + ), Resource: stringorslice.Slice([]string{ strings.Join([]string{b.IAMPrefix(), ":s3:::", s3Path.Bucket()}, ""), }), diff --git a/pkg/model/iam/tests/iam_builder_master_legacy.json b/pkg/model/iam/tests/iam_builder_master_legacy.json index ffdccc1aba07d..67d3bf5631fa8 100644 --- a/pkg/model/iam/tests/iam_builder_master_legacy.json +++ b/pkg/model/iam/tests/iam_builder_master_legacy.json @@ -50,7 +50,8 @@ "Action": [ "s3:GetBucketLocation", "s3:GetEncryptionConfiguration", - "s3:ListBucket" + "s3:ListBucket", + "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::kops-tests" diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index b32a414c19ea7..ad048a8ced131 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -142,7 +142,8 @@ "Action": [ "s3:GetBucketLocation", "s3:GetEncryptionConfiguration", - "s3:ListBucket" + "s3:ListBucket", + "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::kops-tests" diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index c9ec1e77a2a4d..cb9b48a0f44a3 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -142,7 +142,8 @@ "Action": [ "s3:GetBucketLocation", "s3:GetEncryptionConfiguration", - "s3:ListBucket" + "s3:ListBucket", + "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::kops-tests" diff --git a/pkg/model/iam/tests/iam_builder_node_legacy.json b/pkg/model/iam/tests/iam_builder_node_legacy.json index 5926662e64082..a2b135f92edc4 100644 --- a/pkg/model/iam/tests/iam_builder_node_legacy.json +++ b/pkg/model/iam/tests/iam_builder_node_legacy.json @@ -16,7 +16,8 @@ "Action": [ "s3:GetBucketLocation", "s3:GetEncryptionConfiguration", - "s3:ListBucket" + "s3:ListBucket", + "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::kops-tests" diff --git a/pkg/model/iam/tests/iam_builder_node_strict.json b/pkg/model/iam/tests/iam_builder_node_strict.json index aa7b32f2471f7..ba6a526c7ee37 100644 --- a/pkg/model/iam/tests/iam_builder_node_strict.json +++ b/pkg/model/iam/tests/iam_builder_node_strict.json @@ -16,7 +16,8 @@ "Action": [ "s3:GetBucketLocation", "s3:GetEncryptionConfiguration", - "s3:ListBucket" + "s3:ListBucket", + "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::kops-tests" diff --git a/pkg/model/iam/tests/iam_builder_node_strict_ecr.json b/pkg/model/iam/tests/iam_builder_node_strict_ecr.json index 61df952ce32bb..a7243e73ee3c5 100644 --- a/pkg/model/iam/tests/iam_builder_node_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_node_strict_ecr.json @@ -16,7 +16,8 @@ "Action": [ "s3:GetBucketLocation", "s3:GetEncryptionConfiguration", - "s3:ListBucket" + "s3:ListBucket", + "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::kops-tests"