Policy for Wasabi direct to storage (secure mode)

[BostjanUNIJA]

Hi.
We are in the middle of implementing VSCP solution.
We have a use case where we would like to backup a customer with environment with no servers, only workstations.
The idea is to transfer their backups to Wasabi.
We would like to avoid that every workstations backup traffic is proxied over VSCP.
We would like that workstations backup traffic are transfered DIRECTLY to WASABI bucket.
Veeam team provided us this whitepaper: https://fromthearchitect.net/wp-content ... e-Mode.pdf

At the phase of creating Wasabi policy per whitepaper above we received an error:
Policy has invalid action: iam:TagUser

We are in doubt if we can skip that line in policy or is it mandatory for secure mode to work?

We also found this Veeam article:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
and here are different requirements for the policy to WASABI. Do they cover the secure mode?

Code: Select all

{
 "iam:AttachUserPolicy",
 "iam:CreateAccessKey",
 "iam:CreatePolicy",
 "iam:CreatePolicyVersion",
 "iam:CreateUser",
 "iam:DeleteAccessKey",
 "iam:DeletePolicy",
 "iam:DeletePolicyVersion",
 "iam:DeleteUser",
 "iam:DeleteUserPolicy",
 "iam:DetachUserPolicy",
 "iam:GetPolicy",
 "iam:GetPolicyVersion",
 "iam:GetUser",
 "iam:GetUserPolicy",
 "iam:ListAccessKeys",
 "iam:ListAttachedUserPolicies",
 "iam:ListPolicyVersions",
 "iam:ListUserPolicies",
 "iam:PutUserPolicy",
 "iam:SetDefaultPolicyVersion"
}

Please advise

[Mildur]

Hello Bostjan

iam:TagUser allows to configure tags on another user. iam:TagUser is only required on Amazon S3.
Wasabi doesn't provide user tagging such as Amazon S3.
Agents will still be using the secure mode to connect to the object storage. For each Agent a dedicated access key and policy will be created. One Agent cannot access backups from the other agent. Please use the following permission for S3 compatible object storage such as Wasabi:
https://helpcenter.veeam.com/docs/backu ... abi-cloud-

Code: Select all

{
 "iam:AttachUserPolicy",
 "iam:CreateAccessKey",
 "iam:CreatePolicy",
 "iam:CreatePolicyVersion",
 "iam:CreateUser",
 "iam:DeleteAccessKey",
 "iam:DeletePolicy",
 "iam:DeletePolicyVersion",
 "iam:DeleteUser",
 "iam:DeleteUserPolicy",
 "iam:DetachUserPolicy",
 "iam:GetPolicy",
 "iam:GetPolicyVersion",
 "iam:GetUser",
 "iam:GetUserPolicy",
 "iam:ListAccessKeys",
 "iam:ListAttachedUserPolicies",
 "iam:ListPolicyVersions",
 "iam:ListUserPolicies",
 "iam:PutUserPolicy",
 "iam:SetDefaultPolicyVersion"
}

Best,
Fabian

PS:
Please register yourself in our service provider user group if you are a service provider. This gives you access to our hidden service provider sub forums where service provider products are discussed: Apply for the Cloud and Service Providers user group

[BostjanUNIJA]

Dear Mildur.
Thank you for your reply, we really appreciate.
We are struggling with additonal issue now.
When selecting IAM/STS access permission on added wasabi bucket inside VBR we receive an error: 403.

We currently have two polices (copied below) applied on the bucket.
Would you maybe know what we are missing?
Thank you!

DEFAULT POLICY:

Code: Select all

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::bucketname"
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::bucketname",
        "arn:aws:s3:::bucketname/*"
      ]
    }
  ]
}

POLICY NUMBER 2

Code: Select all

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetPolicyVersion",
        "iam:DeleteAccessKey",
        "iam:GetPolicy",
        "iam:AttachUserPolicy",
        "iam:DeleteUserPolicy",
        "iam:DeletePolicy",
        "iam:DeleteUser",
        "iam:ListUserPolicies",
        "iam:CreateUser",
        "iam:CreateAccessKey",
        "iam:CreatePolicy",
        "iam:ListPolicyVersions",
        "iam:GetUserPolicy",
        "iam:PutUserPolicy",
        "iam:ListAttachedUserPolicies",
        "iam:GetUser",
        "iam:CreatePolicyVersion",
        "iam:DetachUserPolicy",
        "iam:DeletePolicyVersion",
        "iam:ListAccessKeys",
        "iam:SetDefaultPolicyVersion"
      ],
      "Resource": [
        "arn:aws:s3:::bucketname",
        "arn:aws:s3:::bucketname/*"
      ]
    }
  ]
}

[BostjanUNIJA]

Anyone?

[MaartenA]

Had the same issue and needed to add sts:GetCallerIdentity to the policy to fix it.
Maybe the veeam documentation needs a update?

[BostjanUNIJA]

@maartena - had the same issue. agree on your comment...

[Mildur]

Hi guys

Thank you.
I will start an internal discussion. Will keep you updated.

Best,
Fabian

[veremin]

We have initiated an internal thread with the R&D team to confirm whether the given permission is indeed missing. As Fabian mentioned, we will keep the thread updated with any developments or progress.

Thanks!