Provided by IAM/STS

[keshavattrey]

Does the “Provided by IAM/STS” setting in an object repository’s access permissions apply to both “Managed by Agent” and “Managed by Backup Server” job types? (Will VBR create new IAM users for both job types?)

[Gostev]

From what I remember, this only applies to "Managed by Agent" AND when backing up directly to object storage (without a gateway server). Because whenever a backup server is managing the data transfer, it takes care of backup access control by itself and thus the IAM/STS smarts are no longer required for access control on the object storage side.

See the bottom part of this help page > https://helpcenter.veeam.com/docs/backu ... sions.html

[keshavattrey]

Thank you so much for your reply. On AWS, you can create up to 5000 IAM users in a single account. Would creating a SOBR containing multiple object repositories for different AWS accounts allow one to exceed 5000 IAM users?

[Gostev]

It would seem logical, if the limit is per account and you're using different accounts.

[sfirmes]

@keshavattrey you are correct that the AWS account has a 5,000 user limit. That and other IAM object quotas are used in our software.

@Gostev is correct that when you select a gateway server via the "Connection mode:" setting, the gateway will handle the authentication to the object storage. When keeping the default setting of "Direct" and using the "Provided by IAM/STS object storage capabilities" option for the repository's access control, the repository can't be part of a SOBR for Managed by Client agents. For this use case, the repository must be a stand-alone object storage repository and not part of a SOBR. In this case it needs to a manual best practice to only backup 5,000 or less Managed by Agent clients to the same repository.