Cyberduck Mountain Duck CLI

#9618 closed defect (fixed)

Update docs for KMS IAM Permissions requirements

Reported by: seymours Owned by: dkocher
Priority: normal Milestone: 5.0.9
Component: s3 Version: Nightly Build
Severity: normal Keywords: s3 kms
Cc: Architecture: Intel
Platform: Mac OS X 10.11


Using KMS with S3 in Cyberduck, blog post etc say that IAM permissions required are kms:ListKeys.

In addition though, you also need kms:ListAliases for it to populate the Encryption drop down appropriately.

i.e. an IAM Policy (in addition to the appropriate S3 permissions) of -

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "Stmt1467393289000",
            "Effect": "Allow",
            "Action": [
            "Resource": [

Change History (3)

comment:1 Changed on Jul 3, 2016 at 4:12:30 PM by dkocher

  • Milestone set to 5.1
  • Owner set to dkocher
  • Status changed from new to assigned

The additional permission requirement for ListAliases comes from r20826 where we introduced alias mapping.

comment:2 Changed on Jul 3, 2016 at 4:14:26 PM by dkocher

  • Resolution set to fixed
  • Status changed from assigned to closed

comment:3 Changed on Jul 19, 2016 at 9:20:27 AM by dkocher

  • Milestone changed from 5.1 to 5.0.9
Note: See TracTickets for help on using tickets.