Wasabi policy permission

[matteu]

Hello,

I have to configure S3 Wasabi for the first time and I would like to be sure about the configuration.

I will use it as backup copy repository with immutability.

1) I create the bucket on Wasabi with versionning + object lock enabled

2) I create a policy on Wasabi based on https://helpcenter.veeam.com/docs/backu ... positories
I need the policy "Immutability Enabled and Helper Appliance Configured Beforehand" right ?
How could I limit the policy only to the bucket "backupbucket" ? Because if I understand correctly, the policy in Veeam documentation has permission on all buckets.

3) I create a new user and assign the policy

4) I create the repository to veeam and set the desired immutability.

I think I need some help on part 2 to be sure the user can only write to the "backupbucket".

Thanks for your help

[david.domask]

Hi matteu,

This would be controlled by IAM policy, and Wasabi has a guide here: https://docs.wasabi.com/docs/how-do-i-r ... d-policies

[matteu]

Hello and thanks for your answer.
I finally find what is needed. The important section is the "ressource" :

Code: Select all

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:GetBucketVersioning",
        "s3:GetBucketObjectLockConfiguration",
        "s3:ListBucketVersions",
        "s3:GetObjectVersion",
        "s3:GetObjectRetention",
        "s3:GetObjectLegalHold",
        "s3:PutObjectRetention",
        "s3:PutObjectLegalHold",
        "s3:DeleteObjectVersion"
      ],
      "Resource": ["arn:aws:s3:::BUCKET/*","arn:aws:s3:::BUCKET"]
    }
  ]
}

[david.domask]

happy to help, matteu, and glad you got it, ty for sharing the policy! I am sure it will help others