Maintain control of your Microsoft 365 data
Post Reply
warnox
Service Provider
Posts: 49
Liked: 3 times
Joined: Mar 24, 2015 11:32 pm
Contact:

VBO - S3 Object Storage IAM Policy

Post by warnox »

Hi,

Is there official documentation showing the required permissions (AWS IAM Policy) for VBO to use an S3 bucket? I can only find the documentation for Backup & Replication, but nothing for VBO. I've been using the following, and it works, but not sure if this is ideal.

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::*/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}
Thanks for any input.
Mike Resseler
Product Manager
Posts: 8286
Liked: 1361 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: VBO - S3 Object Storage IAM Policy

Post by Mike Resseler »

Hi @warnox

VBO works with an access key to connect to S3. See here: https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=40
warnox
Service Provider
Posts: 49
Liked: 3 times
Joined: Mar 24, 2015 11:32 pm
Contact:

Re: VBO - S3 Object Storage IAM Policy

Post by warnox »

Hi Mike,

Yea but an access key is tied to a user, which should have the least privilege policy applied. I’m looking for https://www.veeam.com/kb3151 but for VBO...
Mike Resseler
Product Manager
Posts: 8286
Liked: 1361 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: VBO - S3 Object Storage IAM Policy

Post by Mike Resseler »

Ah sorry, I thought you meant rights for VBO to run effectively, my bad.

It should be the same privileges'. I will ask our QA team to verify if those are the least ones and ask support to write a KB specific for VBO
Mike Resseler
Product Manager
Posts: 8286
Liked: 1361 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: VBO - S3 Object Storage IAM Policy

Post by Mike Resseler » 1 person likes this post

Hi @warnox

Bucket policy:

{
"Version": "2012-10-17",
"Id": "vbopolicy",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::11111111111111:user/IAM_USER_ID"
},
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3::: examplebucketname "
},
{
"Effect": "Allow",
"Principal": {
"AWS": " arn:aws:iam::11111111111111:user/IAM_USER_ID "
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3::: examplebucketname /*"
}
]
}

User policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
}
]
}

I will ask to put this information into a KB.
Thanks
Mike
warnox
Service Provider
Posts: 49
Liked: 3 times
Joined: Mar 24, 2015 11:32 pm
Contact:

Re: VBO - S3 Object Storage IAM Policy

Post by warnox »

Thanks Mike, exactly what I was after.
Polina
Veeam Software
Posts: 3759
Liked: 922 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: VBO - S3 Object Storage IAM Policy

Post by Polina »

And now it's covered in the KB: https://www.veeam.com/kb4046
Post Reply

Who is online

Users browsing this forum: Amazon [Bot] and 5 guests