#07226716 - Read-only access IAM policy for DR testing

[chrisflyckelen]

Hello guys,

for DR testing purposes I am trying to create a read-only IAM policy for a Wasabi bucket.
In another support case #071759019, I asked support for the required permissions for that IAM policy.

The support engineer told me to use following permissions:
s3:GetObject, s3:GetObjectAcl, s3:GetObjectVersion, s3:GetObjectVersionAcl, s3:ListBucket, s3:ListBucketVersions

With these permissions, I can add the bucket as a repository to VBR but the backups can't be imported.

With some try-and-error actions, I added some additional permissions as mentioned in the KB3151 (https://www.veeam.com/kb3151)
At the moment my policy looks like this:

Code: Select all

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:GetBucketVersioning",
        "s3:GetBucketObjectLockConfiguration",
        "s3:GetObjectRetention",
        "s3:GetObjectLegalHold"
      ],
      "Resource": [
        "arn:aws:s3:::BUCKETNAME",
        "arn:aws:s3:::BUCKETNAME/*"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListBucket"
      ],
      "Resource": "*"
    }
  ]
}

Maybe anyone had the same issue?

Thank you,
Christian

[Mildur]

Hi Chris

Can you check your case number again? It's seems to long. Should be 8 digits. I can't find it.
May I ask, on the original server, is encryption enabled on your capacity tier?

And just to have it mentioned:
- Capacity Tier Object Storage: You have to run an Import session
- Direct to Object Storage bucket: You have to run a rescan session

Best,
Fabian