From a78731a3baab5b4b1ac947107e7992ecc1b5c44c Mon Sep 17 00:00:00 2001
From: ebozduman <ersan.bozduman@gmail.com>
Date: Wed, 8 Apr 2020 10:34:43 -0700
Subject: [PATCH] Adds info on policy for STS authentication using web-id
 (#9289)

---
 docs/sts/web-identity.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docs/sts/web-identity.md b/docs/sts/web-identity.md
index ef15e0641..6c25f308f 100644
--- a/docs/sts/web-identity.md
+++ b/docs/sts/web-identity.md
@@ -112,6 +112,24 @@ $ go run web-identity.go -cid 204367807228-ok7601k6gj1pgge7m09h7d79co8p35xx.apps
 2018/12/26 17:49:36 listening on http://localhost:8080/
 ```
 
+Note: For a reasonable test outcome, make sure the assumed user has at least permission/policy to list all buckets. That policy would look like below:
+```
+{
+  "version": "2012-10-17",
+  "statement": [
+    {
+      "effect": "Allow",
+      "action": [
+        "s3:ListAllMyBuckets"
+      ],
+      "resource": [
+        "arn:aws:s3:::*"
+      ]
+    }
+  ]
+}
+```
+
 ## Authorization Flow
 
 - Visit http://localhost:8080, login will direct the user to the Google OAuth2 Auth URL to obtain a permission grant.