Discussions related to using object storage as a backup target.
dalbertson
Veeam Software
Posts: 492
Liked: 175 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by dalbertson » 7 people like this post

Hi All,

I have played around with the minimal permissions a bit and tested in my lab and this seems to work. I was able to tier data, restore, and delete all.

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SecureBucketPolicy0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname/*",
                "arn:aws:s3:::bucketname"
            ]
        },
        {
            "Sid": "SecureBucketPolicy1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
david.tosoff
Veeam Software
Posts: 23
Liked: 11 times
Joined: Mar 22, 2018 5:20 pm
Full Name: David Tosoff
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by david.tosoff » 1 person likes this post

This is great! Thanks @dalbertson!

In case it helps anyone else:
I was building a similar limited-scope policy in my homelab over the weekend, but using Wasabi. I stole Dustin's snippet from above, but the "HeadBucket" action permission wasn't accepted in the Wasabi console, giving me an error when creating the policy.
Using "s3:ListBucket" instead worked for me.

EDIT: Upon further reading, this actually may open up more access than desired to all buckets. Striking that line all together from this second part of the policy appears to work for me with Wasabi. Was able to add extent without issue, and Capacity Tier is currently syncing without issue (so far).
hcs_tech
Lurker
Posts: 2
Liked: never
Joined: Sep 26, 2019 3:19 am
Full Name: Kyle Blackmore
Contact:

[MERGED] Amazon S3 Bucket Permissions

Post by hcs_tech »

What permissions should be checked here, see image below, on this screen to block public access but still allow IAM user access for the Veeam Object Storage backup?

Image: https://prnt.sc/pc8r8k
chris.arceneaux
VeeaMVP
Posts: 722
Liked: 384 times
Joined: Jun 24, 2019 1:39 pm
Full Name: Chris Arceneaux
Location: Georgia, USA
Contact:

Re: Amazon S3 Bucket Permissions

Post by chris.arceneaux » 1 person likes this post

You can safely Block all public access in the screenshot you've shown. Public access is defined as someone being able to access your S3 Bucket without authentication.

As the IAM user should have the necessary access applied to it, it's not deemed public access.
veremin
Product Manager
Posts: 20736
Liked: 2403 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: [MERGED] Amazon S3 Bucket Permissions

Post by veremin » 1 person likes this post

hcs_tech wrote: Sep 28, 2019 7:31 pmWhat permissions should be checked here, see image below, on this screen to block public access but still allow IAM user access for the Veeam Object Storage backup?
Your post has been merged into the existing discussion. Kindly, check the answers provided above. Thanks!
AuGL
Enthusiast
Posts: 51
Liked: 3 times
Joined: May 07, 2019 12:22 am
Full Name: Glenn
Contact:

Re: Been testing out Update 4 and S3, some questions

Post by AuGL »

anthonyspiteri79 wrote: Feb 21, 2019 2:53 pm Just as a heads up, there are a few of us internally working on a Cloud Tier Deep Dive White Paper which will contain explanations around scenarios like this. We hope to have it out in 4-6 weeks.
Any update on when this white paper will be available?
veremin
Product Manager
Posts: 20736
Liked: 2403 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by veremin »

If you're interested in list of minimal permissions needed for Capacity Tier, then, we're planning to publish it next week. QA team has just confirmed the list. Thanks!
AuGL
Enthusiast
Posts: 51
Liked: 3 times
Joined: May 07, 2019 12:22 am
Full Name: Glenn
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by AuGL »

Yes the minimum permissions would be good as we are looking to set this up shortly, so just looking for "best practice" settings all round.
veremin
Product Manager
Posts: 20736
Liked: 2403 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by veremin » 2 people like this post

The documentation has been updated. Find the minimal permissions set here. Thanks!
AuGL
Enthusiast
Posts: 51
Liked: 3 times
Joined: May 07, 2019 12:22 am
Full Name: Glenn
Contact:

Re: 9.5 Update 4 and Amazon S3

Post by AuGL »

Thanks, you guys rock!
Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests