47c5f77c81
The previous `mc admin policy attach … || true` swallowed every failure mode: a renamed policy, an mc CLI signature change, or a transient MinIO error would leave the bootstrap container exiting zero with the service account possessing no permissions, and the backend would then fail every S3 call after a "successful" deploy. Replace the silent fallback with verify-after: keep the attach (idempotent in current mc, redundant in older versions), then assert via `mc admin user info` that `readwrite` ends up on archiv-app. A genuine attach failure now exits 1 and blocks the stack from starting. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
7.6 KiB
7.6 KiB