I have a goal of creating 'write-once' snapshot of my current indexes.
It would be a protection against someone 'accidentally' deleting some of the data.
To achieve that I've created a S3 bucket, but I had to add IAM policy permission:
"s3:DeleteObject",
via
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::snaps.example.com"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::snaps.example.com/*"
]
}
],
"Version": "2012-10-17"
}
This is because, registration of the repository:
curl -XPUT 'http://localhost:9200/_snapshot/my_s3_repository?pretty' -d {bucket_settings}
while 'registering the repository', does create, and then delete some files in s3 bucket, example:
s3://elb-snapshot/tests-kvpG54MJS0mUqovrwWcIeQ-master
s3://elb-snapshot/tests-kvpG54MJS0mUqovrwWcIeQ-ibLCaJIoSEuJqM1N5rb3ug
I've checked, that actually, after You register the repository (automatically for every cluster node), You can
remove the IAM policy rule, the line:
"s3:DeleteObject",
and the snapshot would be still working fine!
My question is - would it brake at some time? I guess a new node attachment or a cluster restart might like to repeat write/read/delete bucket test...
(What about removing old files?
I did set up bucket TTL policy to remove files after 365 days
Snapshots to s3; file TTL)