Discussions related to using object storage as a backup target.
Post Reply
Kei
Expert
Posts: 107
Liked: 6 times
Joined: Sep 21, 2022 6:53 am
Full Name: Keita Kuroki
Contact:

Permission for direct backup to S3

Post by Kei »

Hi

Now I am testing direct backup to amazon S3 using Veeam agent ver6.
When I add S3 as repository, I use the IAM user with permission referring to bellow site.
https://www.veeam.com/kb3151

I could add S3 as repository but when I run the backup to S3 repository, I had the error "Error: Insufficient AWS permissions. "

Do I need additional permission for backup?

Thank you.
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Permission for direct backup to S3

Post by Mildur »

Hi Kei

Please check also user guide. Do you have set all permissions as described here?
https://helpcenter.veeam.com/docs/backu ... ct-storage

If yes, and it‘s still not working, please open a case with our customer support and let us know the case number.
Let them check your logs and configuration.

Thank you
Fabian
Product Management Analyst @ Veeam Software
Kei
Expert
Posts: 107
Liked: 6 times
Joined: Sep 21, 2022 6:53 am
Full Name: Keita Kuroki
Contact:

Re: Permission for direct backup to S3

Post by Kei »

Hi Fabian

Thank you for your answer.
Which resources should be Allowed these permissions?
I couldn't find it from the document.
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Permission for direct backup to S3

Post by Mildur »

Hi Kei

Can you share with which method your Veeam Agent writes backups to AWS S3?
- Standalone Agents?
- Managed Agents?
- Connection mode for managed agents? (Direct or Through gateway server)

Best,
Fabian
Product Management Analyst @ Veeam Software
Kei
Expert
Posts: 107
Liked: 6 times
Joined: Sep 21, 2022 6:53 am
Full Name: Keita Kuroki
Contact:

Re: Permission for direct backup to S3

Post by Kei »

Hi Fabian

My method is
-Using VBR (Not standalone agents)
-managed by agent
-Direct connection

Thank you
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Permission for direct backup to S3

Post by Mildur »

Hi Kei

For Managed by Agent, Veeam will create an user in AWS for each Veeam Agent that backs up to AWS.
So the account you used on your VBR server to connect to the AWS S3 bucket must be able to create new users on the fly for each new agent.

You must create a new IAM policy with the below permissions as stated in our userguide.
Assign the policy to the user account you use for connecting to the AWS S3 bucket. I'm currently testing those in my lab.

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicyVersion",
                "iam:DeleteAccessKey",
                "iam:GetPolicy",
                "iam:AttachUserPolicy",
                "iam:DeleteUserPolicy",
                "iam:DeletePolicy",
                "iam:DeleteUser",
                "iam:ListUserPolicies",
                "iam:CreateUser",
                "iam:TagUser",
                "iam:CreateAccessKey",
                "iam:CreatePolicy",
                "iam:ListPolicyVersions",
                "iam:GetUserPolicy",
                "iam:PutUserPolicy",
                "iam:ListAttachedUserPolicies",
                "iam:GetUser",
                "iam:CreatePolicyVersion",
                "iam:DetachUserPolicy",
                "iam:DeletePolicyVersion",
                "iam:ListAccessKeys",
                "iam:SetDefaultPolicyVersion"
            ],
            "Resource": "*"
        }
    ]
}
After my tests, I will check with our KB team. We should update the KB article with the S3 permissions to reflect direct to storage permissions for "Managed by Agent" scenario too.

Best,
Fabian
Product Management Analyst @ Veeam Software
Kei
Expert
Posts: 107
Liked: 6 times
Joined: Sep 21, 2022 6:53 am
Full Name: Keita Kuroki
Contact:

Re: Permission for direct backup to S3

Post by Kei » 1 person likes this post

Hi Fabian

Thank you so muck, and I succeeded backup to S3 using permission you told me.

Best regards.
TXabear
Lurker
Posts: 1
Liked: never
Joined: Aug 25, 2023 3:11 pm
Full Name: Allen
Contact:

Re: Permission for direct backup to S3

Post by TXabear »

The organization I work with greatly limits my access to the AWS console and even more restricts IAM. Is there a minimum amount of permissions that might give me the direct S3 backup capability? I know they won't give me any IAM create, delete, or set type of permissions.
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Permission for direct backup to S3

Post by Mildur »

Hi

If you don't allow managing IAM policies, you must change how the agents (operating in Managed by Agent mode) write their backup to object storage. Direct connection requires one IAM policy, user and access keys per agent. Without them, every agent can access backup data from another machines.

Make sure to configure connection type "Through a gateway server" in the object storage properties in the Veeam console and you can remove the IAM permissions.

Minimal permissions for agents with connection type "Through a gateway server" are documented in our user guide and kb article:
User Guide: https://helpcenter.veeam.com/docs/backu ... positories
KB article: https://www.veeam.com/kb3151

Best,
Fabian
Product Management Analyst @ Veeam Software
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests