Discussions specific to object storage
dalbertson
Veeam Software
Posts: 16
Liked: 7 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by dalbertson » Jul 22, 2019 9:22 pm 7 people like this post

Hi All,

I have played around with the minimal permissions a bit and tested in my lab and this seems to work. I was able to tier data, restore, and delete all.

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SecureBucketPolicy0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname/*",
                "arn:aws:s3:::bucketname"
            ]
        },
        {
            "Sid": "SecureBucketPolicy1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

david.tosoff
Veeam Software
Posts: 6
Liked: 1 time
Joined: Mar 22, 2018 5:20 pm
Full Name: David Tosoff
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by david.tosoff » Aug 01, 2019 2:51 am 1 person likes this post

This is great! Thanks @dalbertson!

In case it helps anyone else:
I was building a similar limited-scope policy in my homelab over the weekend, but using Wasabi. I stole Dustin's snippet from above, but the "HeadBucket" action permission wasn't accepted in the Wasabi console, giving me an error when creating the policy.
Using "s3:ListBucket" instead worked for me.

EDIT: Upon further reading, this actually may open up more access than desired to all buckets. Striking that line all together from this second part of the policy appears to work for me with Wasabi. Was able to add extent without issue, and Capacity Tier is currently syncing without issue (so far).

hcs_tech
Lurker
Posts: 2
Liked: never
Joined: Sep 26, 2019 3:19 am
Full Name: Kyle Blackmore
Contact:

[MERGED] Amazon S3 Bucket Permissions

Post by hcs_tech » Sep 28, 2019 7:31 pm

What permissions should be checked here, see image below, on this screen to block public access but still allow IAM user access for the Veeam Object Storage backup?

Image: https://prnt.sc/pc8r8k

chris.arceneaux
Veeam Software
Posts: 58
Liked: 32 times
Joined: Jun 24, 2019 1:39 pm
Full Name: Chris Arceneaux
Contact:

Re: Amazon S3 Bucket Permissions

Post by chris.arceneaux » Sep 30, 2019 1:06 pm 1 person likes this post

You can safely Block all public access in the screenshot you've shown. Public access is defined as someone being able to access your S3 Bucket without authentication.

As the IAM user should have the necessary access applied to it, it's not deemed public access.

veremin
Product Manager
Posts: 16867
Liked: 1429 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: [MERGED] Amazon S3 Bucket Permissions

Post by veremin » Sep 30, 2019 5:06 pm 1 person likes this post

hcs_tech wrote:
Sep 28, 2019 7:31 pm
What permissions should be checked here, see image below, on this screen to block public access but still allow IAM user access for the Veeam Object Storage backup?
Your post has been merged into the existing discussion. Kindly, check the answers provided above. Thanks!

AuGL
Influencer
Posts: 14
Liked: never
Joined: May 07, 2019 12:22 am
Full Name: Glenn
Contact:

Re: Been testing out Update 4 and S3, some questions

Post by AuGL » Oct 04, 2019 4:51 am

anthonyspiteri79 wrote:
Feb 21, 2019 2:53 pm
Just as a heads up, there are a few of us internally working on a Cloud Tier Deep Dive White Paper which will contain explanations around scenarios like this. We hope to have it out in 4-6 weeks.
Any update on when this white paper will be available?

veremin
Product Manager
Posts: 16867
Liked: 1429 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by veremin » Oct 04, 2019 1:22 pm

If you're interested in list of minimal permissions needed for Capacity Tier, then, we're planning to publish it next week. QA team has just confirmed the list. Thanks!

AuGL
Influencer
Posts: 14
Liked: never
Joined: May 07, 2019 12:22 am
Full Name: Glenn
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by AuGL » Oct 06, 2019 9:57 pm

Yes the minimum permissions would be good as we are looking to set this up shortly, so just looking for "best practice" settings all round.

veremin
Product Manager
Posts: 16867
Liked: 1429 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by veremin » Oct 09, 2019 2:47 pm 1 person likes this post

The documentation has been updated. Find the minimal permissions set here. Thanks!

AuGL
Influencer
Posts: 14
Liked: never
Joined: May 07, 2019 12:22 am
Full Name: Glenn
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by AuGL » Oct 10, 2019 6:15 am

Thanks, you guys rock!

Post Reply

Who is online

Users browsing this forum: Baidu [Spider] and 1 guest