← Knowledge Base

The Minimal S3 Permissions Hiberden Needs

Updated July 17, 2026

The Minimal S3 Permissions Hiberden Needs

Hiberden asks for an access key when you add an S3 or S3-compatible cloud destination. That key should be able to do exactly what Hiberden needs on one bucket, and nothing else. This article gives you the exact policy and explains what each permission is for, so you are not guessing and not over-granting.

The policy

Create a dedicated IAM user (or access key) for Hiberden and attach this policy, replacing YOUR-BUCKET with your bucket name in both places:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BucketLevel",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": "arn:aws:s3:::YOUR-BUCKET"
    },
    {
      "Sid": "ObjectLevel",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": "arn:aws:s3:::YOUR-BUCKET/*"
    }
  ]
}

Note the two different Resource lines: the first two actions apply to the bucket itself, the rest apply to objects inside it (/*). Putting them in one statement is the most common way this policy gets built wrong.

You do not need s3:GetBucketLocation. Hiberden never looks up the bucket's region or endpoint: both are fields you fill in yourself on the Cloud (S3) destination form, and the client is built directly from what you entered.

What each permission does

  • s3:PutObject, s3:GetObject: write archive copies, and read them back. After each upload Hiberden reads the copy back from the bucket and re-hashes it (the verify-after-write gate, on by default), and every verification reads the copy back again. A write-only key cannot be verified.
  • s3:ListBucket: powers the connection test when you add the destination (a bucket check fails with an unrelated-looking error without it).
  • s3:DeleteObject: used when you delete a copy or an archive from Hiberden. It is not used to clean up interrupted uploads; that is what the multipart abort action below is for.
  • s3:AbortMultipartUpload, s3:ListMultipartUploadParts, s3:ListBucketMultipartUploads: large files upload in parts, and an interrupted upload can resume instead of restarting. These three let Hiberden list an unfinished upload's parts, continue it, or abort it cleanly.

The permission everyone forgets

s3:ListBucketMultipartUploads is the one that gets left out, because uploads appear to work fine without it. Here is why you want it anyway: when Hiberden starts, it looks for unfinished multipart uploads left behind by an interruption and reconciles them (resume what is resumable, abort the rest). Without this permission that startup check is refused by S3. Abandoned multipart parts are invisible in normal bucket listings and most providers bill for them until they are aborted, so a missing permission here quietly turns crashes into storage charges.

Not on the list, on purpose

The policy contains no s3:CreateBucket, no s3:DeleteBucket, no s3:*, and no access to any other bucket. If a policy generator or a tutorial hands you something broader, trim it. The key sitting in your archive tool should not be able to delete buckets.

S3-compatible providers

Backblaze B2 and Cloudflare R2 (both work with Hiberden's S3-compatible destination) do not use AWS IAM policies, but the idea maps directly: scope the key to ONE bucket and grant read, write, delete, and the multipart operations on it.

  • Cloudflare R2: create an R2 API token scoped to your bucket with "Object Read & Write". That covers all of the operations above.
  • Backblaze B2: create an application key restricted to your bucket with read and write access (B2 bucket-scoped keys include the S3-compatible multipart and delete operations).

If you already added the destination

Fixing the policy needs no change in Hiberden: permissions are checked at S3, not stored in the app. Update the policy at your provider and the next archive, verification, or startup reconcile uses it immediately.

Where to go next