Read-only IAM policy doesn't see backups in repository with Automatic Bucket Creation enabled

[gtelnet]

We've been using read-only IAM policies for DR testing for a few years now with great success. We came across an issue this week while testing Automatic Bucket Creation in 12.3.1 which is now defaulted to enabled.

NOTE: I changed the "workloads per bucket" to 1 to force several buckets to be created on the production VBR.

Here are the three recovery scenarios I tested:

1. Adding the bucket to the VBR with list/get permissions for * resources and changing the setting to 1 workload per bucket to match production allows me to successfully add the bucket but it finds 0 backups during Rescan and Import Backups.

2. Disable the auto creation option, click browse and select the bucket and folder name, Veeam automatically enables auto creation due to detecting that the bucket already has this enabled and it auto sets the workloads to 1. It successfully adds the bucket just as in scenario 1, however, when I run Rescan or Import Backups for the repository, it doesn’t find any backups, just like scenario 1.

3. Adding the bucket with a read write key works and detects the backups.

Any idea on why Veeam isn’t finding any backups when we successfully add it in the first two scenarios? Thank you!

[david.domask]

Hi gtelnet,

Can you clarify, for the permissions you tested on 1 and 2, which of these IAM policies was used? And similarly can you share the read/write policy you set that worked?

[gtelnet]

Just opened a ticket - Case #07663122

For the read-only key, we're using the first set of permissions on that page for immutable storage:

Code: Select all

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "s3:ListBucket",
          "s3:GetBucketLocation",
          "s3:GetObject",
          "s3:ListAllMyBuckets",
          "s3:GetBucketVersioning",
          "s3:GetBucketObjectLockConfiguration",
          "s3:ListBucketVersions",
          "s3:GetObjectVersion",
          "s3:GetObjectRetention",
          "s3:GetObjectLegalHold"
      ],
      "Resource": "*"
    }
  ]
}

When I edit the above policy and replace all above permissions with below, it won't find any backups on a rescan or import, but if I remove the repository from the VBR and add it back, it finds all the backups on the rescan.

Code: Select all

      "Effect": "Allow",
      "Action": [
        "s3:*"

Thank you!

[gtelnet]

The support rep had us try using the IAM policy from the Immutable Buckets section on this page https://www.veeam.com/kb3151 but that didn't work either.

The standard read-only keys work fine with new buckets created in 12.3.1 that don’t have ‘Automatic Bucket Creation’ enabled so perhaps it's a new bug with v12.3.x which first became more visible in 12.3.1 due to the auto bucket creation being enabled by default for all new S3 compatible repositories.

Perhaps the read-only key functionality wasn't regression tested with a newly created bucket with this feature enabled?

[david.domask]

Hi gtelnet,

Thank you for the updates; it's not clear at the moment what is preventing the import of the backups, but Support will be able to see which calls are having issues from the logs which I see just got uploaded. Let's allow Support a bit of time to review what is preventing the import of the backups with the current IAM policy, as it will help us understand what specifically needs to be adjusted on the policy.