Discussions specific to object storage
dalbertson
Veeam Software
Posts: 14
Liked: 6 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by dalbertson » Jul 22, 2019 9:22 pm 6 people like this post

Hi All,

I have played around with the minimal permissions a bit and tested in my lab and this seems to work. I was able to tier data, restore, and delete all.

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SecureBucketPolicy0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname/*",
                "arn:aws:s3:::bucketname"
            ]
        },
        {
            "Sid": "SecureBucketPolicy1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

david.tosoff
Veeam Software
Posts: 6
Liked: 1 time
Joined: Mar 22, 2018 5:20 pm
Full Name: David Tosoff
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by david.tosoff » Aug 01, 2019 2:51 am 1 person likes this post

This is great! Thanks @dalbertson!

In case it helps anyone else:
I was building a similar limited-scope policy in my homelab over the weekend, but using Wasabi. I stole Dustin's snippet from above, but the "HeadBucket" action permission wasn't accepted in the Wasabi console, giving me an error when creating the policy.
Using "s3:ListBucket" instead worked for me.

EDIT: Upon further reading, this actually may open up more access than desired to all buckets. Striking that line all together from this second part of the policy appears to work for me with Wasabi. Was able to add extent without issue, and Capacity Tier is currently syncing without issue (so far).

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests