-
- Technology Partner
- Posts: 2
- Liked: never
- Joined: Mar 28, 2022 8:25 pm
- Full Name: Keshav Attrey
- Contact:
Provided by IAM/STS
Does the “Provided by IAM/STS” setting in an object repository’s access permissions apply to both “Managed by Agent” and “Managed by Backup Server” job types? (Will VBR create new IAM users for both job types?)
-
- Chief Product Officer
- Posts: 32240
- Liked: 7608 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Provided by IAM/STS
From what I remember, this only applies to "Managed by Agent" AND when backing up directly to object storage (without a gateway server). Because whenever a backup server is managing the data transfer, it takes care of backup access control by itself and thus the IAM/STS smarts are no longer required for access control on the object storage side.
See the bottom part of this help page > https://helpcenter.veeam.com/docs/backu ... sions.html
See the bottom part of this help page > https://helpcenter.veeam.com/docs/backu ... sions.html
-
- Technology Partner
- Posts: 2
- Liked: never
- Joined: Mar 28, 2022 8:25 pm
- Full Name: Keshav Attrey
- Contact:
Re: Provided by IAM/STS
Thank you so much for your reply. On AWS, you can create up to 5000 IAM users in a single account. Would creating a SOBR containing multiple object repositories for different AWS accounts allow one to exceed 5000 IAM users?
-
- Chief Product Officer
- Posts: 32240
- Liked: 7608 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Provided by IAM/STS
It would seem logical, if the limit is per account and you're using different accounts.
-
- Veeam Software
- Posts: 321
- Liked: 150 times
- Joined: Jul 24, 2018 8:38 pm
- Full Name: Stephen Firmes
- Contact:
Re: Provided by IAM/STS
@keshavattrey you are correct that the AWS account has a 5,000 user limit. That and other IAM object quotas are used in our software.
@Gostev is correct that when you select a gateway server via the "Connection mode:" setting, the gateway will handle the authentication to the object storage. When keeping the default setting of "Direct" and using the "Provided by IAM/STS object storage capabilities" option for the repository's access control, the repository can't be part of a SOBR for Managed by Client agents. For this use case, the repository must be a stand-alone object storage repository and not part of a SOBR. In this case it needs to a manual best practice to only backup 5,000 or less Managed by Agent clients to the same repository.
@Gostev is correct that when you select a gateway server via the "Connection mode:" setting, the gateway will handle the authentication to the object storage. When keeping the default setting of "Direct" and using the "Provided by IAM/STS object storage capabilities" option for the repository's access control, the repository can't be part of a SOBR for Managed by Client agents. For this use case, the repository must be a stand-alone object storage repository and not part of a SOBR. In this case it needs to a manual best practice to only backup 5,000 or less Managed by Agent clients to the same repository.
Steve Firmes | Senior Solutions Architect, Product Management - Alliances @ Veeam Software
Who is online
Users browsing this forum: Google [Bot] and 6 guests