This feature utilizes pre-signed URLs to facilitate uploading artifacts to S3.

The minimum S3 bucket policy required to use this feature is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PolicyForAllowKasmS3UserReadWrite",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<s3 persistent profile user arn>"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket",
        "s3:DeleteObject"
      ],
      "Resource": "<s3 bucket arn>/*"
    },
    {
      "Sid": "PolicyForAllowKasmS3UserListLocate",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<s3 persistent profile user arn>"
      },
      "Action": [
        "s3:GetBucketLocation"
      ],
      "Resource": "<s3 bucket arn>"
    }
  ]
}

The minimum IAM policy for the S3 credentials used in Kasm are:

{
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket",
        "s3:DeleteObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "<s3 bucket arn>",
        "<s3 bucket arn>/*"
      ]
    },
    {
      "Action": [
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Resource": "<s3 bucket arn>"
    }
  ],
  "Version": "2012-10-17"
}