+
+h2(#IAM). IAM Policy
+
+On Amazon, VMs which will access the S3 bucket (these include keepstore and compute nodes) will need an IAM policy with "permission that can read, write, list and delete objects in the bucket":https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html . Here is an example policy:
+
+<notextile>
+<pre>
+{
+ "Id": "arvados-keepstore policy",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "s3:*"
+ ],
+ "Resource": "arn:aws:s3:::xarv1-nyw5e-000000000000000-volume"
+ "Resource": "arn:aws:s3:::xarv1-nyw5e-000000000000000-volume/*"
+ }
+ ]
+}
+</pre>
+</notextile>