Discussions related to using object storage as a backup target.
Post Reply
flomp
Enthusiast
Posts: 48
Liked: 3 times
Joined: Oct 24, 2018 6:15 pm
Contact:

Wasabi Policy

Post by flomp »

When reading several documents on the web regarding the implementation of a Capacity Tier using (Wasabi) S3, I found a lot of good documentation. However, I was missing info on how to restrict access to the bucket. I hope this post helps others that have the same problem. Also, I am interested in your comments and opinions - especially if access can be restricted further.

Obviously, I did not want to use the access keys of the Wasabi main user in Veeam. I wanted to create a Sub-User which can only access the Veeam bucket. So this is what I did:

1. Create the bucket as described in the tutorials

2. Create the following policy:

Code: Select all

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::BUCKETNAME",
        "arn:aws:s3:::BUCKETNAME/*"
      ]
    }
  ]
}
3. Create a sub-user and assign this policy - and no other policies

The sub-user does not have `s3:ListAllMyBuckets` rights on `arn:aws:s3:::*`. Therefore, when adding the bucket in Veeam, the "Browse"-Button will not work. You have to enter the bucket name manually.
HannesK
Product Manager
Posts: 14840
Liked: 3086 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Wasabi Policy

Post by HannesK »

Hello,
yes, that's how it is supposed to work :-)

Best regards,
Hannes
chrisWasabi
Technology Partner
Posts: 23
Liked: 36 times
Joined: Feb 23, 2021 3:42 pm
Contact:

Re: Wasabi Policy

Post by chrisWasabi » 2 people like this post

Hello! Veeam has a nice KB that gives you a copy and paste IAM Policy to do this, all you need to do is update your bucket.

https://www.veeam.com/kb3151
flomp
Enthusiast
Posts: 48
Liked: 3 times
Joined: Oct 24, 2018 6:15 pm
Contact:

Re: Wasabi Policy

Post by flomp »

Many thanks!
Looks like I missed that KB article...
chris.childerhose
Veeam Vanguard
Posts: 636
Liked: 154 times
Joined: Aug 13, 2014 6:03 pm
Full Name: Chris Childerhose
Location: Toronto, ON
Contact:

Re: Wasabi Policy

Post by chris.childerhose »

chrisWasabi wrote: May 31, 2022 12:47 pm Hello! Veeam has a nice KB that gives you a copy and paste IAM Policy to do this, all you need to do is update your bucket.

https://www.veeam.com/kb3151
Great to see this article and thanks for sharing. Will be doing this with my Wasabi account soon.
-----------------------
Chris Childerhose
Veeam Vanguard / Veeam Legend / Veeam Ceritified Architect / VMCE
vExpert / VCAP-DCA / VCP8 / MCITP
Personal blog: https://just-virtualization.tech
Twitter: @cchilderhose
flomp
Enthusiast
Posts: 48
Liked: 3 times
Joined: Oct 24, 2018 6:15 pm
Contact:

Re: Wasabi Policy

Post by flomp »

chrisWasabi wrote: May 31, 2022 12:47 pm Hello! Veeam has a nice KB that gives you a copy and paste IAM Policy to do this, all you need to do is update your bucket.

https://www.veeam.com/kb3151
I was just revisiting this topic because I had to do some changes and had a closer look.

Is there a reason, that the `s3:ListBucket` action is allowed for all buckets? I think it should be enough to include it in the `VisualEditor0` part.
Regnor
VeeaMVP
Posts: 1007
Liked: 314 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Wasabi Policy

Post by Regnor »

I think the problem is, if you leave out the ListBucket and ListAllMyBuckets permission for all buckets, you won't be able to use the browse button during setup ob the S3 object bucket. But as I've learned, you can then just manually fill in the bucket name and it will work. So, you don't necessarily need those permissions.
flomp
Enthusiast
Posts: 48
Liked: 3 times
Joined: Oct 24, 2018 6:15 pm
Contact:

Re: Wasabi Policy

Post by flomp »

For me, it also works if there is only the `s3:ListAllMyBuckets` permission on all buckets.
And yes: you can also manually fill in the bucket name if the `s3:ListAllMyBuckets` is missing - I already did that.
Regnor
VeeaMVP
Posts: 1007
Liked: 314 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Wasabi Policy

Post by Regnor »

Well then I have no clue why the s3:ListBucket is there. Perhaps someone else can explain that.
chrisWasabi
Technology Partner
Posts: 23
Liked: 36 times
Joined: Feb 23, 2021 3:42 pm
Contact:

Re: Wasabi Policy

Post by chrisWasabi »

It used to be that Veeam required ListAllMyBuckets, this was updated in a patch on v11. Depending on how up-to-date you keep the Veeam install, you may have this requirement or not. Looks like the KB has not been reflected with this patch.

https://www.veeam.com/kb4126
Object storage: ListBuckets API call is issued when registering an S3-compatible object storage repository even if a user does not browse for a bucket but rather specifies its name manually. This prevents bucket registration when the ListBuckets permission is missing from the account used to connect to the bucket.
m.gether
Service Provider
Posts: 2
Liked: 1 time
Joined: Nov 08, 2022 8:41 am
Full Name: Martin Gether
Contact:

Re: Wasabi Policy

Post by m.gether »

Hello, I am in the process of designing an MSP structure with Veeam and Wasabi.

At the moment I am at the policys for the Wasabi subusers.

The goal should be that only the own bucket name is visible at Veeam, and the bucket names of the other subusers (customers) are not visible. Furthermore, the subuser should only have the necessary S3 rights and support immutability features.

According to my research, this should be possible with the following IAM attached to the subuser:

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetBucketVersioning",
                "s3:GetBucketObjectLockConfiguration",
                "s3:ListBucketVersions",
                "s3:GetObjectVersion",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold",
                "s3:PutObjectRetention",
                "s3:PutObjectLegalHold",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::yourbucketname/*",
                "arn:aws:s3:::yourbucketname"
            ]
        }
    ]
}
With the latest version of B&R this should be possible without "s3:ListAllMyBuckets", "s3:ListBucket".

Do you have any suggestions for the IAM to make it even more secure?

Thank you!

Best,

Martin
veremin
Product Manager
Posts: 20413
Liked: 2301 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Wasabi Policy

Post by veremin »

You are right that the current version of VB&R does not require "s3:ListAllMyBuckets" permission, as long as the bucket name is specified explicitly in the repository wizard.

However, I believe "s3:ListBucket" is still needed to list the content of a particular bucket.

Thanks!
m.gether
Service Provider
Posts: 2
Liked: 1 time
Joined: Nov 08, 2022 8:41 am
Full Name: Martin Gether
Contact:

Re: Wasabi Policy

Post by m.gether » 1 person likes this post

Thank you for your answer!

In this case, this should be the right IAM:

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetBucketVersioning",
                "s3:GetBucketObjectLockConfiguration",
                "s3:ListBucketVersions",
                "s3:GetObjectVersion",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold",
                "s3:PutObjectRetention",
                "s3:PutObjectLegalHold",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::yourbucketname/*",
                "arn:aws:s3:::yourbucketname"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "*"
        }
    ]
}
veremin
Product Manager
Posts: 20413
Liked: 2301 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Wasabi Policy

Post by veremin »

Seems correct to me. Thanks!
veremin
Product Manager
Posts: 20413
Liked: 2301 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Wasabi Policy

Post by veremin »

chrisWasabi wrote: Oct 17, 2022 6:08 amLooks like the KB has not been reflected with this patch.
Good catch, the KB article has been updated. Thanks for raising this!
Post Reply

Who is online

Users browsing this forum: No registered users and 40 guests