Discussions specific to object storage
Post Reply
kylegordon
Novice
Posts: 6
Liked: 2 times
Joined: May 07, 2015 11:37 am
Full Name: Kyle Gordon
Contact:

Cloudformation template

Post by kylegordon » Feb 07, 2019 2:08 pm 2 people like this post

This is a repost from here https://www.reddit.com/r/Veeam/comments ... formation/?

Looking for feedback...

There was an apparently lack of documentation regarding permissions required for object storage to work, so after some trial and error I've just come up with this rather broad Cloudformation file that should create a random bucket, and then restrict access to a dedicated access key and secret.

It may be of use to folks that would rather template everything...

It works by generating both a bucket and a restricted user. Once you have deployed the template, the bucket name and IAM username are both available in Cloudformation exports. You can then use the describe-stacks command below to get the username, and the create-access-key command to create an access key and secret that you can then plug into Veeam.

Your Veeam bucket is now templated and repeatable, all without a single click in the AWS Console.

Hope this is of some help...

Code: Select all

# aws --region eu-west-1 --profile DevAccount cloudformation deploy --stack-name VeeamBackup --template-file s3/veeam.yaml  --capabilities CAPABILITY_IAM
# $IAMUSERNAME=`aws --region eu-west-1 --profile DevAccount cloudformation describe-stacks --stack-name VeeamBackup --query "Stacks[0].Outputs[?OutputKey=='VeeamUserName'].OutputValue" --output text`
# aws --region eu-west-1 --profile DevAccount iam create-access-key --user-name=$IAMUSERNAME

Description: Bucket for storing Veeam backups in.
AWSTemplateFormatVersion: '2010-09-09'

Resources:
  VeeamUser:
    Type: "AWS::IAM::User"
    Properties:
      Policies:
      - PolicyName: UserPolicy
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action: s3:ListAllMyBuckets
            Resource: "*"
          - Effect: Allow
            Action: s3:*
            Resource:
              - !Sub "arn:aws:s3:::${VeeamBucket}"
              - !Sub "arn:aws:s3:::${VeeamBucket}/*"

  VeeamBucket:
    Type: AWS::S3::Bucket
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicPolicy: true
        RestrictPublicBuckets: true
        IgnorePublicAcls: true
        BlockPublicAcls: true
      AccessControl: AuthenticatedRead
      LifecycleConfiguration:
        Rules:
        - Id: InfrequentAccessRule
          Status: Enabled
          Transitions:
            - TransitionInDays: '30'
              StorageClass: STANDARD_IA
      Tags:
        - Key: "Project"
          Value: "VeeamBackups"

  VeeamBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref VeeamBucket
      PolicyDocument:
        Id: VeeamBucketAccessPolicy
        Version: "2012-10-17"
        Statement:
          - Sid: "VeeamAccess"
            Action:
              - s3:*
            Effect: Allow
            Resource:
             - !Sub "arn:aws:s3:::${VeeamBucket}"
             - !Sub "arn:aws:s3:::${VeeamBucket}/*"
            Principal:
              AWS:
                - !GetAtt VeeamUser.Arn

Outputs:
  VeeamBucketArn:
    Description: "ARN of Veeam bucket"
    Value: !GetAtt VeeamBucket.Arn
    Export:
      Name: !Sub VeeamBucketArn
  VeeamUserName:
    Description: "Auto generated username for Veeam"
    Value: !Ref VeeamUser
    Export:
      Name: !Sub VeeamUser

vmniels
Veeam Software
Posts: 2195
Liked: 482 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Cloudformation template

Post by vmniels » Feb 07, 2019 8:19 pm

Thank you for sharing!
VCP-DCV
Veeam Certified Architect (VMCA)
http://foonet.be

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests