Access keys can be from the account credentials that have rights to all services:
http://docs.amazonwebservices.com/AWSSecurityCredentials/latest/AboutAWS.... If these are used then no other configuration is needed to be done in AWS and rest of this page can be skipped.
It's not always preferable to use the account access to AWS. Reasons include for example safety measure against code accidently deleting other bucket content or avoiding abuse to other AWS services if access keys are leaked. Read more at http://docs.amazonwebservices.com/AmazonS3/latest/dev/UsingIAMPolicies.html. Custom access keys can be generated from AWS IAM-service where one can specify a custom policy. Below are the minimum required rights for storage api to work.
{
"Statement": [
{
"Sid": "ModifyAssets",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::yourbucketname/*"
]
},
{
"Sid": "BucketRights",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
}
]
}First statement allows delete, download and upload to all resources under given bucket. Second statement allows listing of account's buckets inside s3. This is needed for storage api to check the existance of the bucket that is used. http://docs.amazonwebservices.com/IAM/latest/UserGuide/ManagingPolicies.... describes how to create a user with custom policy. Once it has been created, the access keys can be downloaded and used like account access keys.