for DR testing purposes I am trying to create a read-only IAM policy for a Wasabi bucket.
In another support case #071759019, I asked support for the required permissions for that IAM policy.
The support engineer told me to use following permissions:
s3:GetObject, s3:GetObjectAcl, s3:GetObjectVersion, s3:GetObjectVersionAcl, s3:ListBucket, s3:ListBucketVersions
With these permissions, I can add the bucket as a repository to VBR but the backups can't be imported.
With some try-and-error actions, I added some additional permissions as mentioned in the KB3151 (https://www.veeam.com/kb3151)
At the moment my policy looks like this:
Code: Select all
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold"
],
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": "*"
}
]
}
Thank you,
Christian