Merge pull request #4380 from ClickHouse/public-s3-policy

whites11 · web-flow · commit 9af71006cce7 · 2025-09-08T14:38:06.000+02:00
Explain in more detail how public s3 buckets should be configured for…
diff --git a/docs/integrations/data-ingestion/clickpipes/object-storage.md b/docs/integrations/data-ingestion/clickpipes/object-storage.md
@@ -156,7 +156,11 @@ These tables will not be visible using ClickHouse Cloud SQL Console, you will ne
 ## Authentication {#authentication}
 
 ### S3 {#s3}
-You can access public buckets with no configuration, and with protected buckets you can use [IAM credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) or an [IAM Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html).
+Both publicly accessible and protected S3 buckets are supported.
+
+Public buckets need to allow both the `s3:GetObject` and the `s3:ListBucket` actions in their Policy.
+
+Protected buckets can be accessed using either [IAM credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) or an [IAM Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html).
 To use an IAM Role, you will need to create the IAM Role as specified [in this guide](/cloud/security/secure-s3). Copy the new IAM Role Arn after creation and paste it into the ClickPipe configuration as the "IAM ARN role".
 
 ### GCS {#gcs}
