Wasabi policy permission

[matteu]

Hello,

I have to configure S3 Wasabi for the first time and I would like to be sure about the configuration.

I will use it as backup copy repository with immutability.

1) I create the bucket on Wasabi with versionning + object lock enabled

2) I create a policy on Wasabi based on https://helpcenter.veeam.com/docs/backu ... positories
I need the policy "Immutability Enabled and Helper Appliance Configured Beforehand" right ?
How could I limit the policy only to the bucket "backupbucket" ? Because if I understand correctly, the policy in Veeam documentation has permission on all buckets.

3) I create a new user and assign the policy

4) I create the repository to veeam and set the desired immutability.

I think I need some help on part 2 to be sure the user can only write to the "backupbucket".

Thanks for your help

[david.domask]

Hi matteu,

This would be controlled by IAM policy, and Wasabi has a guide here: https://docs.wasabi.com/docs/how-do-i-r ... d-policies

[matteu]

Hello and thanks for your answer.
I finally find what is needed. The important section is the "ressource" :

Code: Select all

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:GetBucketVersioning",
        "s3:GetBucketObjectLockConfiguration",
        "s3:ListBucketVersions",
        "s3:GetObjectVersion",
        "s3:GetObjectRetention",
        "s3:GetObjectLegalHold",
        "s3:PutObjectRetention",
        "s3:PutObjectLegalHold",
        "s3:DeleteObjectVersion"
      ],
      "Resource": ["arn:aws:s3:::BUCKET/*","arn:aws:s3:::BUCKET"]
    }
  ]
}

[david.domask]

happy to help, matteu, and glad you got it, ty for sharing the policy! I am sure it will help others

[ado@b-w.it]

Dear Veeam Community,
Not sure if this is somewhat off-topic but, maybe someone knows the solution this or can point me in the right direction.

I am a new to creating Cloud Repositories and I am trying to configure a direct-to-repository Veeam Job. We recently aquired a WASABI cloud storage and access it through the WASABI Portal.
We have configured a bucket with immutable folders and now want to use that as a target for our Backup Job. Now, I want to make sure that the Bucket-User account has minimal permissions necessary, wouldn't want to risk compromising immutability by accidently granting root-rights. To do that, I want to apply policies through user settings. But I don't know which pre-configed policies should be applied to the user accessing the bucket. I tried to consult documentation, but only found guidance for the Veeam console side, not the Wasabi Portal.

Anybody done something similar? Am I making it too complicated and should just apply WasabiFullAccess? Am I completly off the rails here and should do this another way?

Thank you for reading, appreciate it.

[david.domask]

Hi ado {at} b-w.it, welcome to the forums.

I've merged your post with an existing topic that I believe answers the same question. I'm not familiar with the Wasabi Portal configurations you're mentioning, but minimal permissions should be set like in the answers above to restrict access.