From 84922810e334eb5021a6686b6b780dd117ccc9e8 Mon Sep 17 00:00:00 2001
From: Laurin Quast <laurinquast@googlemail.com>
Date: Wed, 22 Jan 2020 08:43:06 +0100
Subject: [PATCH] docs: add instructions for AWS IAM policy

---
 README.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/README.md b/README.md
index ecd0d31..8c1f641 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,33 @@ The following settings must be passed as environment variables as shown in the e
 | `SOURCE_DIR` | The local directory (or file) you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository. | `env` | No | `./` (root of cloned repository) |
 | `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket. | `env` | No | `/` (root of bucket) |
 
+### Required IAM Policy
+
+This Github Action uses the [`aws s3 sync`](https://docs.aws.amazon.com/cli/latest/reference/s3/sync.html) command. The following statement must be assigned to the account/role that is used for running this action. Replace `YOUR_BUCKET_NAME` with your actual S3 bucket name.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:PutObjectAcl",
+                "s3:GetObject",
+                "s3:ListBucket",
+                "s3:DeleteObject",
+                "s3:GetBucketLocation"
+            ],
+            "Resource": [
+                "arn:aws:s3:::YOUR_BUCKET_NAME",
+                "arn:aws:s3:::YOUR_BUCKET_NAME/*"
+            ]
+        }
+    ]
+}
+```
 
 ## License