-
- Expert
- Posts: 107
- Liked: 6 times
- Joined: Sep 21, 2022 6:53 am
- Full Name: Keita Kuroki
- Contact:
Permission for direct backup to S3
Hi
Now I am testing direct backup to amazon S3 using Veeam agent ver6.
When I add S3 as repository, I use the IAM user with permission referring to bellow site.
https://www.veeam.com/kb3151
I could add S3 as repository but when I run the backup to S3 repository, I had the error "Error: Insufficient AWS permissions. "
Do I need additional permission for backup?
Thank you.
Now I am testing direct backup to amazon S3 using Veeam agent ver6.
When I add S3 as repository, I use the IAM user with permission referring to bellow site.
https://www.veeam.com/kb3151
I could add S3 as repository but when I run the backup to S3 repository, I had the error "Error: Insufficient AWS permissions. "
Do I need additional permission for backup?
Thank you.
-
- Product Manager
- Posts: 9385
- Liked: 2500 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Permission for direct backup to S3
Hi Kei
Please check also user guide. Do you have set all permissions as described here?
https://helpcenter.veeam.com/docs/backu ... ct-storage
If yes, and it‘s still not working, please open a case with our customer support and let us know the case number.
Let them check your logs and configuration.
Thank you
Fabian
Please check also user guide. Do you have set all permissions as described here?
https://helpcenter.veeam.com/docs/backu ... ct-storage
If yes, and it‘s still not working, please open a case with our customer support and let us know the case number.
Let them check your logs and configuration.
Thank you
Fabian
Product Management Analyst @ Veeam Software
-
- Expert
- Posts: 107
- Liked: 6 times
- Joined: Sep 21, 2022 6:53 am
- Full Name: Keita Kuroki
- Contact:
Re: Permission for direct backup to S3
Hi Fabian
Thank you for your answer.
Which resources should be Allowed these permissions?
I couldn't find it from the document.
Thank you for your answer.
Which resources should be Allowed these permissions?
I couldn't find it from the document.
-
- Product Manager
- Posts: 9385
- Liked: 2500 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Permission for direct backup to S3
Hi Kei
Can you share with which method your Veeam Agent writes backups to AWS S3?
- Standalone Agents?
- Managed Agents?
- Connection mode for managed agents? (Direct or Through gateway server)
Best,
Fabian
Can you share with which method your Veeam Agent writes backups to AWS S3?
- Standalone Agents?
- Managed Agents?
- Connection mode for managed agents? (Direct or Through gateway server)
Best,
Fabian
Product Management Analyst @ Veeam Software
-
- Expert
- Posts: 107
- Liked: 6 times
- Joined: Sep 21, 2022 6:53 am
- Full Name: Keita Kuroki
- Contact:
Re: Permission for direct backup to S3
Hi Fabian
My method is
-Using VBR (Not standalone agents)
-managed by agent
-Direct connection
Thank you
My method is
-Using VBR (Not standalone agents)
-managed by agent
-Direct connection
Thank you
-
- Product Manager
- Posts: 9385
- Liked: 2500 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Permission for direct backup to S3
Hi Kei
For Managed by Agent, Veeam will create an user in AWS for each Veeam Agent that backs up to AWS.
So the account you used on your VBR server to connect to the AWS S3 bucket must be able to create new users on the fly for each new agent.
You must create a new IAM policy with the below permissions as stated in our userguide.
Assign the policy to the user account you use for connecting to the AWS S3 bucket. I'm currently testing those in my lab.
After my tests, I will check with our KB team. We should update the KB article with the S3 permissions to reflect direct to storage permissions for "Managed by Agent" scenario too.
Best,
Fabian
For Managed by Agent, Veeam will create an user in AWS for each Veeam Agent that backs up to AWS.
So the account you used on your VBR server to connect to the AWS S3 bucket must be able to create new users on the fly for each new agent.
You must create a new IAM policy with the below permissions as stated in our userguide.
Assign the policy to the user account you use for connecting to the AWS S3 bucket. I'm currently testing those in my lab.
Code: Select all
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:DeleteAccessKey",
"iam:GetPolicy",
"iam:AttachUserPolicy",
"iam:DeleteUserPolicy",
"iam:DeletePolicy",
"iam:DeleteUser",
"iam:ListUserPolicies",
"iam:CreateUser",
"iam:TagUser",
"iam:CreateAccessKey",
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:ListAttachedUserPolicies",
"iam:GetUser",
"iam:CreatePolicyVersion",
"iam:DetachUserPolicy",
"iam:DeletePolicyVersion",
"iam:ListAccessKeys",
"iam:SetDefaultPolicyVersion"
],
"Resource": "*"
}
]
}
Best,
Fabian
Product Management Analyst @ Veeam Software
-
- Expert
- Posts: 107
- Liked: 6 times
- Joined: Sep 21, 2022 6:53 am
- Full Name: Keita Kuroki
- Contact:
Re: Permission for direct backup to S3
Hi Fabian
Thank you so muck, and I succeeded backup to S3 using permission you told me.
Best regards.
Thank you so muck, and I succeeded backup to S3 using permission you told me.
Best regards.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Aug 25, 2023 3:11 pm
- Full Name: Allen
- Contact:
Re: Permission for direct backup to S3
The organization I work with greatly limits my access to the AWS console and even more restricts IAM. Is there a minimum amount of permissions that might give me the direct S3 backup capability? I know they won't give me any IAM create, delete, or set type of permissions.
-
- Product Manager
- Posts: 9385
- Liked: 2500 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Permission for direct backup to S3
Hi
If you don't allow managing IAM policies, you must change how the agents (operating in Managed by Agent mode) write their backup to object storage. Direct connection requires one IAM policy, user and access keys per agent. Without them, every agent can access backup data from another machines.
Make sure to configure connection type "Through a gateway server" in the object storage properties in the Veeam console and you can remove the IAM permissions.
Minimal permissions for agents with connection type "Through a gateway server" are documented in our user guide and kb article:
User Guide: https://helpcenter.veeam.com/docs/backu ... positories
KB article: https://www.veeam.com/kb3151
Best,
Fabian
If you don't allow managing IAM policies, you must change how the agents (operating in Managed by Agent mode) write their backup to object storage. Direct connection requires one IAM policy, user and access keys per agent. Without them, every agent can access backup data from another machines.
Make sure to configure connection type "Through a gateway server" in the object storage properties in the Veeam console and you can remove the IAM permissions.
Minimal permissions for agents with connection type "Through a gateway server" are documented in our user guide and kb article:
User Guide: https://helpcenter.veeam.com/docs/backu ... positories
KB article: https://www.veeam.com/kb3151
Best,
Fabian
Product Management Analyst @ Veeam Software
Who is online
Users browsing this forum: No registered users and 25 guests