From 0f4427b3c3f31c08d85c9f38d83f8734d62e860f Mon Sep 17 00:00:00 2001
From: Richard Scothern <richard.scothern@gmail.com>
Date: Thu, 31 Mar 2016 14:34:59 -0700
Subject: [PATCH] Document required IAM permissions for S3 storage driver.

Signed-off-by: Richard Scothern <richard.scothern@docker.com>
---
 docs/storage-drivers/s3.md | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/docs/storage-drivers/s3.md b/docs/storage-drivers/s3.md
index 86c3c8c18..8f8dce70d 100644
--- a/docs/storage-drivers/s3.md
+++ b/docs/storage-drivers/s3.md
@@ -187,6 +187,42 @@ An implementation of the `storagedriver.StorageDriver` interface which uses Amaz
 
 `storageclass`: (optional) The storage class applied to each registry file. Defaults to STANDARD. Valid options are STANDARD and REDUCED_REDUNDANCY.
 
+## S3 permission scopes
+
+The following IAM permissions are required by the registry for push and pull.  See [the S3 policy documentation](http://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html) for more details.
+
+```
+ "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "s3:ListAllMyBuckets"
+        ],
+        "Resource": "arn:aws:s3:::*"
+      },
+      {
+        "Effect": "Allow",
+        "Action": [
+          "s3:ListBucket",
+          "s3:GetBucketLocation",
+          "s3:ListBucketMultipartUploads",
+        ],
+        "Resource": "arn:aws:s3:::mybucket"
+      },
+      {
+        "Effect": "Allow",
+        "Action": [
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:DeleteObject",
+          "s3:ListMultipartUploadParts",
+          "s3:AbortMultipartUpload"
+        ],
+        "Resource": "arn:aws:s3:::mybucket/*"
+      }
+]
+```
+
 # CloudFront as Middleware with S3 backend
 
 ## Use Case