diff --git a/docs/sts/web-identity.md b/docs/sts/web-identity.md
index ef15e0641..6c25f308f 100644
--- a/docs/sts/web-identity.md
+++ b/docs/sts/web-identity.md
@@ -112,6 +112,24 @@ $ go run web-identity.go -cid 204367807228-ok7601k6gj1pgge7m09h7d79co8p35xx.apps
 2018/12/26 17:49:36 listening on http://localhost:8080/
 ```
 
+Note: For a reasonable test outcome, make sure the assumed user has at least permission/policy to list all buckets. That policy would look like below:
+```
+{
+  "version": "2012-10-17",
+  "statement": [
+    {
+      "effect": "Allow",
+      "action": [
+        "s3:ListAllMyBuckets"
+      ],
+      "resource": [
+        "arn:aws:s3:::*"
+      ]
+    }
+  ]
+}
+```
+
 ## Authorization Flow
 
 - Visit http://localhost:8080, login will direct the user to the Google OAuth2 Auth URL to obtain a permission grant.