Looking for feedback...
There was an apparently lack of documentation regarding permissions required for object storage to work, so after some trial and error I've just come up with this rather broad Cloudformation file that should create a random bucket, and then restrict access to a dedicated access key and secret.
It may be of use to folks that would rather template everything...
It works by generating both a bucket and a restricted user. Once you have deployed the template, the bucket name and IAM username are both available in Cloudformation exports. You can then use the describe-stacks command below to get the username, and the create-access-key command to create an access key and secret that you can then plug into Veeam.
Your Veeam bucket is now templated and repeatable, all without a single click in the AWS Console.
Hope this is of some help...
Code: Select all
# aws --region eu-west-1 --profile DevAccount cloudformation deploy --stack-name VeeamBackup --template-file s3/veeam.yaml --capabilities CAPABILITY_IAM
# $IAMUSERNAME=`aws --region eu-west-1 --profile DevAccount cloudformation describe-stacks --stack-name VeeamBackup --query "Stacks[0].Outputs[?OutputKey=='VeeamUserName'].OutputValue" --output text`
# aws --region eu-west-1 --profile DevAccount iam create-access-key --user-name=$IAMUSERNAME
Description: Bucket for storing Veeam backups in.
AWSTemplateFormatVersion: '2010-09-09'
Resources:
VeeamUser:
Type: "AWS::IAM::User"
Properties:
Policies:
- PolicyName: UserPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: s3:ListAllMyBuckets
Resource: "*"
- Effect: Allow
Action: s3:*
Resource:
- !Sub "arn:aws:s3:::${VeeamBucket}"
- !Sub "arn:aws:s3:::${VeeamBucket}/*"
VeeamBucket:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicPolicy: true
RestrictPublicBuckets: true
IgnorePublicAcls: true
BlockPublicAcls: true
AccessControl: AuthenticatedRead
LifecycleConfiguration:
Rules:
- Id: InfrequentAccessRule
Status: Enabled
Transitions:
- TransitionInDays: '30'
StorageClass: STANDARD_IA
Tags:
- Key: "Project"
Value: "VeeamBackups"
VeeamBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref VeeamBucket
PolicyDocument:
Id: VeeamBucketAccessPolicy
Version: "2012-10-17"
Statement:
- Sid: "VeeamAccess"
Action:
- s3:*
Effect: Allow
Resource:
- !Sub "arn:aws:s3:::${VeeamBucket}"
- !Sub "arn:aws:s3:::${VeeamBucket}/*"
Principal:
AWS:
- !GetAtt VeeamUser.Arn
Outputs:
VeeamBucketArn:
Description: "ARN of Veeam bucket"
Value: !GetAtt VeeamBucket.Arn
Export:
Name: !Sub VeeamBucketArn
VeeamUserName:
Description: "Auto generated username for Veeam"
Value: !Ref VeeamUser
Export:
Name: !Sub VeeamUser