Discussions related to using object storage as a backup target.
Post Reply
AlexHeylin
Veteran
Posts: 563
Liked: 173 times
Joined: Nov 15, 2019 4:09 pm
Full Name: Alex Heylin
Contact:

v12 - additional Wasabi S3 permission needed?

Post by AlexHeylin »

We've just upgraded to v12 and now many SOBR offloads are failing with

Code: Select all

Upgrading backup chain index...  
REST API error: 'Forbidden', error code: 403
The access to Wasabi's S3 is using the community developed policy (because I think this still isn't officially documented by either Wasabi or Veeam, or if it is it's not linked from the obvious places - HINT! HINT!!). I assume the index upgrade / new v12 approach requires some additional right. Does anyone know what this is, or have a known working policy?
veremin
Product Manager
Posts: 20376
Liked: 2290 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: v12 - additional Wasabi S3 permission needed?

Post by veremin »

Can you collect the debug logs and provide them within the support ticket? So we can verify internally what might be going wrong. Thanks!
AlexHeylin
Veteran
Posts: 563
Liked: 173 times
Joined: Nov 15, 2019 4:09 pm
Full Name: Alex Heylin
Contact:

Re: v12 - additional Wasabi S3 permission needed?

Post by AlexHeylin » 1 person likes this post

Hi Veremin,
Sorry - I got meetinged before I got that far... Case #05873121
Thanks
veremin
Product Manager
Posts: 20376
Liked: 2290 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: v12 - additional Wasabi S3 permission needed?

Post by veremin »

Thanks, Alex, for sharing the ticket number - we will check the investigation.
AlexHeylin
Veteran
Posts: 563
Liked: 173 times
Joined: Nov 15, 2019 4:09 pm
Full Name: Alex Heylin
Contact:

Re: v12 - additional Wasabi S3 permission needed?

Post by AlexHeylin »

Sorry - I might have had my idiot brain loaded today... I found a couple of permissions missing from the policy. I've updated all the policies to include everything from the list. Strange that this has been working for years for everything except this policy upgrade.

I've submitted suggestion to the docs team to just supply the sample policy, because stating the permissions alone won't enable you to work out how to set up the policy so it works and uses least privilege... I know this was quite a discussion point when Wasabi implemented immutability.

I've just triggered an offload with the new policy in place and it's still failing though - so perhaps those missing permissions weren't the cause.
veremin
Product Manager
Posts: 20376
Liked: 2290 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: v12 - additional Wasabi S3 permission needed?

Post by veremin »

Correct, it does not seem like a permission issue - we verified the given policy and everything looked OK. We had an idea of what might be the root cause and shared it with the support engineer. He might get in contact with you soon. Thanks!
veremin
Product Manager
Posts: 20376
Liked: 2290 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: v12 - additional Wasabi S3 permission needed?

Post by veremin » 1 person likes this post

Turned out this was caused by an intermittent Wasabi cloud issue that resolved itself during the last support call. So, this had nothing to deal with V12 in the end. Thanks!
AlexHeylin
Veteran
Posts: 563
Liked: 173 times
Joined: Nov 15, 2019 4:09 pm
Full Name: Alex Heylin
Contact:

Re: v12 - additional Wasabi S3 permission needed?

Post by AlexHeylin »

FYI - I've had the docs of these permissions expanded (a lot!) to include policy templates for most common scenarios, so this is now formally documented rather than being hidden in the forums.
mortalfoil
Novice
Posts: 7
Liked: 3 times
Joined: Mar 17, 2023 6:00 pm
Contact:

Re: v12 - additional Wasabi S3 permission needed?

Post by mortalfoil »

Hi AlexHeylin,

Where can I find that document? I did a quick search of the KB but haven't found it yet.
doktornotor
Enthusiast
Posts: 95
Liked: 31 times
Joined: Mar 07, 2018 12:57 pm
Contact:

Re: v12 - additional Wasabi S3 permission needed?

Post by doktornotor »

You probably mean this?

https://www.veeam.com/kb3151
AlexHeylin
Veteran
Posts: 563
Liked: 173 times
Joined: Nov 15, 2019 4:09 pm
Full Name: Alex Heylin
Contact:

Re: v12 - additional Wasabi S3 permission needed?

Post by AlexHeylin »

I actually meant this https://helpcenter.veeam.com/docs/backu ... ermissions which now has policy templates for almost every scenario.
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 15 guests