Discussions related to using object storage as a backup target.
tpx
Novice
Posts: 7
Liked: 2 times
Joined: Mar 08, 2020 9:26 am
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by tpx »

Gostev wrote: Mar 08, 2020 10:19 pm If you tried an IAM policy with full administrative access, then your issue is completely unrelated to this discussion, so let's not derail or hi-jack this topic. Please open a support case, and create the dedicated topic (if you feel your issue needs to be discussed with the entire community). Thanks!
Sorry, I'll create a new thread.
dalbertson
Veeam Software
Posts: 492
Liked: 175 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by dalbertson » 3 people like this post

@Skyview @tpx @chris.arceneaux

I am back and have some results. I have tested this in my lab and verified with PM as well. This is the actual least required permissions for immutability. Just copy this into a new policy and change the bucketname to your bucket name

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetBucketVersioning",
                "s3:GetBucketObjectLockConfiguration",
                "s3:ListBucketVersions",
                "s3:GetObjectVersion",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold",
                "s3:PutObjectRetention",
                "s3:PutObjectLegalHold",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

And since people will see this....this is the least needed permissions if you do NOT use immutability. (standard s3)

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SecureBucketPolicy0",
            "Effect": "Allow",
            "Action": [
       	        "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:GetBucketVersioning",
                "s3:GetBucketObjectLockConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::<yourbucketname>/*",
                "arn:aws:s3:::<yourbucketname>"
            ]
        },
        {
            "Sid": "SecureBucketPolicy1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
ConradGoodman
Enthusiast
Posts: 98
Liked: 5 times
Joined: Apr 21, 2020 11:45 am
Full Name: Conrad Goodman
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by ConradGoodman »

Glad I found this post, will use the above Policy.

But please, please update this documentation: https://helpcenter.veeam.com/docs/backu ... 100#rpasos

For those of us unfamiliar with Amazon Web Services it would have been nice to have the policy avaialble in the official v10 documentation rather than just the list of permissions in JSON.
chris.arceneaux
VeeaMVP
Posts: 667
Liked: 358 times
Joined: Jun 24, 2019 1:39 pm
Full Name: Chris Arceneaux
Location: Georgia, USA
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by chris.arceneaux »

Hi Conrad,

Thanks for your feedback! As Veeam supports multiple Object Storage providers, we tried to present the permissions in a provider neutral format. We do have a KB article available with AWS-specific information:

https://www.veeam.com/kb3151

Another method to simplify this process even further would be my AWS CloudFormation Templates I've put on VeeamHub. These create the IAM User/Role & S3 Bucket for you:

https://github.com/VeeamHub/veeam-aws-c ... eplication
dalbertson
Veeam Software
Posts: 492
Liked: 175 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by dalbertson »

@ConradGoodman @chris.arceneaux

The KB above listed by chris is not for this use. It is for Veeam Backup for AWS only as stated in the kb.

This cloud tier use case has a specific kb article that i created for it. https://www.veeam.com/kb3151

I will look into updating the helpguides also or link to the kb.
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
stewsie
Expert
Posts: 247
Liked: 20 times
Joined: May 22, 2015 7:16 am
Full Name: Paul
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by stewsie »

Hi. I also have the issue Amazon REST error: 'S3 error: Access Denied when trying to run through the SOBR wizard. This was working with no issues until yesterday morning. The only thing I did was to put the Performance tier into maintenance to check the restore from the Capacity Tier in the event the Performance Tier wasn't available. The restore worked and I took the tier out of maintenance. I then ran a backup to carry out more testing and this is when the Offload jobs started to fail with the following error

Amazon REST error: 'S3 error: Access Denied
Code: AccessDenied', error code: 403
Other: HostId:

Nothing has changed with the S3 configuration and the policy in use for the account is using the policy supplied by Veeam. I created new access keys in AWS and tried those with the same failure. I unchecked encryption in the SOBR wizard at the capacity tier section and was able to complete the wizard. The offload job still failed. I then enabled encryption but now the wizard fails to complete with

Failed to save scale-out backup repository:
Unable to create database records for repository
Amazon REST error: 'S3 error: Access Denied
Code: AccessDenied', error code: 403
Amazon REST error: 'S3 error: Access Denied

I can still see the files when starting the restore process so connectivity with the bucket is still in place

I have opened a support call with Veeam 04539171 and am only interested to see if anyone else has experienced anything like this? I am not trying to shortcut the support process and am happy with the initial response

Thanks
stewsie
Expert
Posts: 247
Liked: 20 times
Joined: May 22, 2015 7:16 am
Full Name: Paul
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by stewsie »

Update from me.

I checked the S3 bucket configuration which was created by an AWS partner as my experience with AWS is quite limited and looked at the bucket policy that was applied. The policy was created for the retention policy. I took a copy and then deleted the bucket policy. The SOBR wizard then completed and when I ran a backup job the offload job completed. I have updated the support call with this information and also asking if a bucket policy is needed and if so what should be in it?
chris.arceneaux
VeeaMVP
Posts: 667
Liked: 358 times
Joined: Jun 24, 2019 1:39 pm
Full Name: Chris Arceneaux
Location: Georgia, USA
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by chris.arceneaux » 1 person likes this post

Hi Paul,

As mentioned in the KB Article previously highlighted in this thread, only an IAM policy is required. IAM policies are applied to a user whereas bucket policies are applied directly to an S3 bucket. The IAM policy created should be assigned to the IAM user that Veeam uses when connecting to AWS.

https://www.veeam.com/kb3151
stewsie
Expert
Posts: 247
Liked: 20 times
Joined: May 22, 2015 7:16 am
Full Name: Paul
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by stewsie »

Got that, thanks. The bucket policy was added by the AWS consultant since removed by me
frankive
Service Provider
Posts: 1092
Liked: 134 times
Joined: May 14, 2013 8:35 pm
Full Name: Frank Iversen
Location: Norway
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by frankive »

@chris.arceneaux If we have multiple customers (with 1 bucket each) in our subscription, we need to run your script for each customer right? so we get 1 IAM user with the access key with the corret permission only to their bucket?
dalbertson
Veeam Software
Posts: 492
Liked: 175 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by dalbertson » 1 person likes this post

Yes @frankive just make sure to use a unique name for each IAM user
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
frankive
Service Provider
Posts: 1092
Liked: 134 times
Joined: May 14, 2013 8:35 pm
Full Name: Frank Iversen
Location: Norway
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by frankive »

@chris.arceneaux We are using your launch stack to create user with IAM and bucket. Works like a breeze! :)
However, when we try to add a Amazon Glacier repository(want to use Glazier Deep Archive for backups older than 180 days) using that user and bucket we get an error saying that "Insufficient AWS EC2 permissions".

Which approach would you suggest when we have multiple customers in one AWS account and we are only separating them with the IAM-user nd the bucket your cool script created?
Should we create a new IAM for this or edit the existing IAM-user?

Is there any concers with multiple different customers in this matter when we start to talk EC2 resources?
dalbertson
Veeam Software
Posts: 492
Liked: 175 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by dalbertson » 2 people like this post

@frankive It has not been updated yet. We are going to add those permissions and will notify you in this forum.
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
AlexHeylin
Veeam Legend
Posts: 561
Liked: 173 times
Joined: Nov 15, 2019 4:09 pm
Full Name: Alex Heylin
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by AlexHeylin »

It's just taken me an hour to find this post after hunting high and low for a KB on this from Veeam. Did one get published, and if so why can't any search on Veeam's sites find it?
Thanks
veremin
Product Manager
Posts: 20271
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by veremin »

Did one get published?
The KB article was published quite some time ago and is referenced few posts above. It's been recently updated and currently it does contain information regarding applying IAM policies to buckets with object lock enabled.
why can't any search on Veeam's sites find it?
Not sure what might be the problem here.

I've just checked and this thread comes first, if you use these community search functionality with the key phrases such as "IAM object lock" or "IAM immutability". If you use the same phrases with Google search and just add "Veeam" to the sentences, both this thread and the KB article will be available on the first page.

Thanks!
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by Gostev »

dalbertson wrote: Feb 26, 2021 1:53 pm @frankive It has not been updated yet. We are going to add those permissions and will notify you in this forum.
@dalbertson could you confirm what is the status?
dalbertson
Veeam Software
Posts: 492
Liked: 175 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by dalbertson » 1 person likes this post

The permissions listed in the helpcenter & kb3151 should be up to date.

https://www.veeam.com/kb3151

https://helpcenter.veeam.com/docs/backu ... positories
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
mark49808
Enthusiast
Posts: 83
Liked: 13 times
Joined: Feb 02, 2017 6:31 pm
Contact:

[MERGED] S3 Role Assumption

Post by mark49808 »

Is it possible to do role assumption with the S3 credentials? Use case - we prefer to centralize our IAM users in a single account and only allow said users to assume roles in other accounts… is it possible for Veeam to do this, possibly with some otherwise hidden registry key?

https://docs.aws.amazon.com/cli/latest/ ... -role.html
veremin
Product Manager
Posts: 20271
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: IAM JSON for AWS S3 Immutable (Object-Lock)

Post by veremin »

What you can do to keep the number of required permissions to bare minimum is to create IAM policy and assign it to an user. More information regarding it can be found in the referenced KB article. Thanks!
Post Reply

Who is online

Users browsing this forum: No registered users and 10 guests