Discussions specific to object storage
dariusz.tyka
Novice
Posts: 5
Liked: 2 times
Joined: Jan 21, 2019 1:38 pm
Full Name: Dariusz Tyka
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by dariusz.tyka » Feb 28, 2019 10:19 am

Hi Eremin,

unfortunately event this minimal set of permissions include:
s3:CreateBucket",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:DeleteBucket",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:PutLifeCycleConfiguration",
"s3:GetObject",
"s3:RestoreObject",
"s3:AbortMultiPartUpload",
"s3:ListBucketMultiPartUploads",
"s3:ListMultipartUploadParts

with following permission:

"Effect": "Allow",
"Resource": "*"

what in fact grant access to all S3 buckets.

v.eremin
Product Manager
Posts: 16130
Liked: 1314 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by v.eremin » Feb 28, 2019 11:11 am

And it wouldn't work if you try to limit resource parameter to the given bucket?

Code: Select all

"Resource": "arn:aws:s3:::my_archivetier_bucket/*"
Thanks!

dariusz.tyka
Novice
Posts: 5
Liked: 2 times
Joined: Jan 21, 2019 1:38 pm
Full Name: Dariusz Tyka
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by dariusz.tyka » Mar 01, 2019 1:14 pm

Hi Eremin,

unfortunately not. I tried this way, also tried to grant full access to single S3 bucket but then during object storage creation I receive 'Invalid credentials for Amazon S3 endpoint'.

Dariusz

dariusz.tyka
Novice
Posts: 5
Liked: 2 times
Joined: Jan 21, 2019 1:38 pm
Full Name: Dariusz Tyka
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by dariusz.tyka » Mar 01, 2019 1:59 pm 2 people like this post

Finally I got it working with limited set of permissions. I used this AWS link: https://aws.amazon.com/blogs/security/i ... -policies/
The policy looks like this - see below. Don't know if those are minimal permissions but anyhow those are much more strict than full access to all S3 buckets.

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TheseActionsSupportBucketResourceType",
            "Effect": "Allow",
            "Action": [
                "s3:*" ],
            "Resource": [
                "arn:aws:s3:::Veeam_bucket_name" ]
        },
        {
            "Sid": "TheseActionsRequireAllResources",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListMultipartUploadParts" ],
            "Resource": [
                "*" ]
        },
        {
            "Sid": "TheseActionsRequireSupportsObjectResourceType",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject" ],
            "Resource": [
                "arn:aws:s3:::Veeam_bucket_name/*" ]
        }
    ]
}

v.eremin
Product Manager
Posts: 16130
Liked: 1314 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by v.eremin » Mar 01, 2019 3:25 pm

Thanks, Dariusz, for sharing this valuable information. I will update this thread, once the official documentation is ready.

dariusz.tyka
Novice
Posts: 5
Liked: 2 times
Joined: Jan 21, 2019 1:38 pm
Full Name: Dariusz Tyka
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by dariusz.tyka » Mar 08, 2019 12:56 pm

Unfortunately the set of permissions I mentioned earlier is not sufficient. While it was OK and I could add Amazon S3 repository using this set of permissions the SOBR repository offload job fails with an error:

Processing 'Job name' Error: Amazon REST error: 'S3 error: Access Denied Code: AccessDenied', error code: 403

So for now I've changed the policy for AWS account used by Veeam to full S3 access. Awaiting for final set of permissions from Veeam.

Tomsyr
Enthusiast
Posts: 27
Liked: 1 time
Joined: Jul 01, 2014 3:39 pm
Full Name: Tom Conklin
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by Tomsyr » Mar 25, 2019 12:01 pm 1 person likes this post

From Gostev's excellent weekly email, it is stated 'Update 4a is on track to be released this month'.
Will it include the Backup Copy functionality for S3?
Thx!
Tom

Gostev
SVP, Product Management
Posts: 24016
Liked: 3252 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by Gostev » Mar 25, 2019 2:01 pm 3 people like this post

No. Actually, in the same excellent weekly email, I did note that Update 4a is purely a bug fix update :D

krzychu3000
Lurker
Posts: 1
Liked: never
Joined: Apr 10, 2019 12:27 pm
Full Name: Krzysiek
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by krzychu3000 » Apr 10, 2019 12:36 pm

Hello,
I'm won't start a new thread.

We are using Veeam Backup & Replication in version 9.5.4.2753. I just added New IBM Cloud S3 Storege based on totorial: https://helpcenter.veeam.com/docs/backu ... l?ver=95u4 I can see this repository on Backup Infrastructure --> Backup repositories. But when I want to use this repository in Copy Job, I can't see newly added repository.

Restart of Veeam Application and whole veeam server didn't help.

v.eremin
Product Manager
Posts: 16130
Liked: 1314 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by v.eremin » Apr 10, 2019 6:14 pm

You should add it as capacity extent to existing Scale-Out Backup Repository. Thanks!

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest