Sorry, I'll create a new thread.Gostev wrote: ↑Mar 08, 2020 10:19 pm If you tried an IAM policy with full administrative access, then your issue is completely unrelated to this discussion, so let's not derail or hi-jack this topic. Please open a support case, and create the dedicated topic (if you feel your issue needs to be discussed with the entire community). Thanks!
- 
				tpx
- Novice
- Posts: 7
- Liked: 2 times
- Joined: Mar 08, 2020 9:26 am
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
- 
				dalbertson
- Veeam Software
- Posts: 492
- Liked: 175 times
- Joined: Jul 21, 2015 12:38 pm
- Full Name: Dustin Albertson
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
@Skyview @tpx @chris.arceneaux 
I am back and have some results. I have tested this in my lab and verified with PM as well. This is the actual least required permissions for immutability. Just copy this into a new policy and change the bucketname to your bucket name
And since people will see this....this is the least needed permissions if you do NOT use immutability. (standard s3)
			
			
									
						
							I am back and have some results. I have tested this in my lab and verified with PM as well. This is the actual least required permissions for immutability. Just copy this into a new policy and change the bucketname to your bucket name
Code: Select all
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetBucketVersioning",
                "s3:GetBucketObjectLockConfiguration",
                "s3:ListBucketVersions",
                "s3:GetObjectVersion",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold",
                "s3:PutObjectRetention",
                "s3:PutObjectLegalHold",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}
And since people will see this....this is the least needed permissions if you do NOT use immutability. (standard s3)
Code: Select all
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SecureBucketPolicy0",
            "Effect": "Allow",
            "Action": [
       	        "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:GetBucketVersioning",
                "s3:GetBucketObjectLockConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::<yourbucketname>/*",
                "arn:aws:s3:::<yourbucketname>"
            ]
        },
        {
            "Sid": "SecureBucketPolicy1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
			
						- 
				ConradGoodman
- Expert
- Posts: 109
- Liked: 5 times
- Joined: Apr 21, 2020 11:45 am
- Full Name: Conrad Goodman
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
Glad I found this post, will use the above Policy.
But please, please update this documentation: https://helpcenter.veeam.com/docs/backu ... 100#rpasos
For those of us unfamiliar with Amazon Web Services it would have been nice to have the policy avaialble in the official v10 documentation rather than just the list of permissions in JSON.
			
			
									
						
										
						But please, please update this documentation: https://helpcenter.veeam.com/docs/backu ... 100#rpasos
For those of us unfamiliar with Amazon Web Services it would have been nice to have the policy avaialble in the official v10 documentation rather than just the list of permissions in JSON.
- 
				chris.arceneaux
- VeeaMVP
- Posts: 722
- Liked: 384 times
- Joined: Jun 24, 2019 1:39 pm
- Full Name: Chris Arceneaux
- Location: Georgia, USA
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
Hi Conrad,
Thanks for your feedback! As Veeam supports multiple Object Storage providers, we tried to present the permissions in a provider neutral format. We do have a KB article available with AWS-specific information:
https://www.veeam.com/kb3151
Another method to simplify this process even further would be my AWS CloudFormation Templates I've put on VeeamHub. These create the IAM User/Role & S3 Bucket for you:
https://github.com/VeeamHub/veeam-aws-c ... eplication
			
			
									
						
										
						Thanks for your feedback! As Veeam supports multiple Object Storage providers, we tried to present the permissions in a provider neutral format. We do have a KB article available with AWS-specific information:
https://www.veeam.com/kb3151
Another method to simplify this process even further would be my AWS CloudFormation Templates I've put on VeeamHub. These create the IAM User/Role & S3 Bucket for you:
https://github.com/VeeamHub/veeam-aws-c ... eplication
- 
				dalbertson
- Veeam Software
- Posts: 492
- Liked: 175 times
- Joined: Jul 21, 2015 12:38 pm
- Full Name: Dustin Albertson
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
@ConradGoodman @chris.arceneaux 
The KB above listed by chris is not for this use. It is for Veeam Backup for AWS only as stated in the kb.
This cloud tier use case has a specific kb article that i created for it. https://www.veeam.com/kb3151
I will look into updating the helpguides also or link to the kb.
			
			
									
						
							The KB above listed by chris is not for this use. It is for Veeam Backup for AWS only as stated in the kb.
This cloud tier use case has a specific kb article that i created for it. https://www.veeam.com/kb3151
I will look into updating the helpguides also or link to the kb.
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
			
						- 
				stewsie
- Veteran
- Posts: 298
- Liked: 25 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
Hi. I also have the issue Amazon REST error: 'S3 error: Access Denied when trying to run through the SOBR wizard. This was working with no issues until yesterday morning. The only thing I did was to put the Performance tier into maintenance to check the restore from the Capacity Tier in the event the Performance Tier wasn't available. The restore worked and I took the tier out of maintenance. I then ran a backup to carry out more testing and this is when the Offload jobs started to fail with the following error
Amazon REST error: 'S3 error: Access Denied
Code: AccessDenied', error code: 403
Other: HostId:
Nothing has changed with the S3 configuration and the policy in use for the account is using the policy supplied by Veeam. I created new access keys in AWS and tried those with the same failure. I unchecked encryption in the SOBR wizard at the capacity tier section and was able to complete the wizard. The offload job still failed. I then enabled encryption but now the wizard fails to complete with
Failed to save scale-out backup repository:
Unable to create database records for repository
Amazon REST error: 'S3 error: Access Denied
Code: AccessDenied', error code: 403
Amazon REST error: 'S3 error: Access Denied
I can still see the files when starting the restore process so connectivity with the bucket is still in place
I have opened a support call with Veeam 04539171 and am only interested to see if anyone else has experienced anything like this? I am not trying to shortcut the support process and am happy with the initial response
Thanks
			
			
									
						
										
						Amazon REST error: 'S3 error: Access Denied
Code: AccessDenied', error code: 403
Other: HostId:
Nothing has changed with the S3 configuration and the policy in use for the account is using the policy supplied by Veeam. I created new access keys in AWS and tried those with the same failure. I unchecked encryption in the SOBR wizard at the capacity tier section and was able to complete the wizard. The offload job still failed. I then enabled encryption but now the wizard fails to complete with
Failed to save scale-out backup repository:
Unable to create database records for repository
Amazon REST error: 'S3 error: Access Denied
Code: AccessDenied', error code: 403
Amazon REST error: 'S3 error: Access Denied
I can still see the files when starting the restore process so connectivity with the bucket is still in place
I have opened a support call with Veeam 04539171 and am only interested to see if anyone else has experienced anything like this? I am not trying to shortcut the support process and am happy with the initial response
Thanks
- 
				stewsie
- Veteran
- Posts: 298
- Liked: 25 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
Update from me.
I checked the S3 bucket configuration which was created by an AWS partner as my experience with AWS is quite limited and looked at the bucket policy that was applied. The policy was created for the retention policy. I took a copy and then deleted the bucket policy. The SOBR wizard then completed and when I ran a backup job the offload job completed. I have updated the support call with this information and also asking if a bucket policy is needed and if so what should be in it?
			
			
									
						
										
						I checked the S3 bucket configuration which was created by an AWS partner as my experience with AWS is quite limited and looked at the bucket policy that was applied. The policy was created for the retention policy. I took a copy and then deleted the bucket policy. The SOBR wizard then completed and when I ran a backup job the offload job completed. I have updated the support call with this information and also asking if a bucket policy is needed and if so what should be in it?
- 
				chris.arceneaux
- VeeaMVP
- Posts: 722
- Liked: 384 times
- Joined: Jun 24, 2019 1:39 pm
- Full Name: Chris Arceneaux
- Location: Georgia, USA
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
Hi Paul,
As mentioned in the KB Article previously highlighted in this thread, only an IAM policy is required. IAM policies are applied to a user whereas bucket policies are applied directly to an S3 bucket. The IAM policy created should be assigned to the IAM user that Veeam uses when connecting to AWS.
https://www.veeam.com/kb3151
			
			
									
						
										
						As mentioned in the KB Article previously highlighted in this thread, only an IAM policy is required. IAM policies are applied to a user whereas bucket policies are applied directly to an S3 bucket. The IAM policy created should be assigned to the IAM user that Veeam uses when connecting to AWS.
https://www.veeam.com/kb3151
- 
				stewsie
- Veteran
- Posts: 298
- Liked: 25 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
Got that, thanks. The bucket policy was added by the AWS consultant since removed by me
			
			
									
						
										
						- 
				frankive
- Service Provider
- Posts: 1092
- Liked: 134 times
- Joined: May 14, 2013 8:35 pm
- Full Name: Frank Iversen
- Location: Norway
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
@chris.arceneaux If we have multiple customers (with 1 bucket each) in our subscription, we need to run your script for each customer right? so we get 1 IAM user with the access key with the corret permission only to their bucket?
			
			
									
						
										
						- 
				dalbertson
- Veeam Software
- Posts: 492
- Liked: 175 times
- Joined: Jul 21, 2015 12:38 pm
- Full Name: Dustin Albertson
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
Yes @frankive just make sure to use a unique name for each IAM user
			
			
									
						
							Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
			
						- 
				frankive
- Service Provider
- Posts: 1092
- Liked: 134 times
- Joined: May 14, 2013 8:35 pm
- Full Name: Frank Iversen
- Location: Norway
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
@chris.arceneaux  We are using your launch stack to create user with IAM and bucket. Works like a breeze! 
However, when we try to add a Amazon Glacier repository(want to use Glazier Deep Archive for backups older than 180 days) using that user and bucket we get an error saying that "Insufficient AWS EC2 permissions".
Which approach would you suggest when we have multiple customers in one AWS account and we are only separating them with the IAM-user nd the bucket your cool script created?
Should we create a new IAM for this or edit the existing IAM-user?
Is there any concers with multiple different customers in this matter when we start to talk EC2 resources?
			
			
									
						
										
						
However, when we try to add a Amazon Glacier repository(want to use Glazier Deep Archive for backups older than 180 days) using that user and bucket we get an error saying that "Insufficient AWS EC2 permissions".
Which approach would you suggest when we have multiple customers in one AWS account and we are only separating them with the IAM-user nd the bucket your cool script created?
Should we create a new IAM for this or edit the existing IAM-user?
Is there any concers with multiple different customers in this matter when we start to talk EC2 resources?
- 
				dalbertson
- Veeam Software
- Posts: 492
- Liked: 175 times
- Joined: Jul 21, 2015 12:38 pm
- Full Name: Dustin Albertson
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
@frankive It has not been updated yet.   We are going to add those permissions and will notify you in this forum.
			
			
									
						
							Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
			
						- 
				AlexHeylin
- Veteran
- Posts: 563
- Liked: 174 times
- Joined: Nov 15, 2019 4:09 pm
- Full Name: Alex Heylin
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
It's just taken me an hour to find this post after hunting high and low for a KB on this from Veeam.  Did one get published, and if so why can't any search on Veeam's sites find it?
Thanks
			
			
									
						
										
						Thanks
- 
				veremin
- Product Manager
- Posts: 20736
- Liked: 2403 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
The KB article was published quite some time ago and is referenced few posts above. It's been recently updated and currently it does contain information regarding applying IAM policies to buckets with object lock enabled.Did one get published?
Not sure what might be the problem here.why can't any search on Veeam's sites find it?
I've just checked and this thread comes first, if you use these community search functionality with the key phrases such as "IAM object lock" or "IAM immutability". If you use the same phrases with Google search and just add "Veeam" to the sentences, both this thread and the KB article will be available on the first page.
Thanks!
- 
				Gostev
- Chief Product Officer
- Posts: 32761
- Liked: 7970 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
@dalbertson could you confirm what is the status?dalbertson wrote: ↑Feb 26, 2021 1:53 pm @frankive It has not been updated yet. We are going to add those permissions and will notify you in this forum.
- 
				dalbertson
- Veeam Software
- Posts: 492
- Liked: 175 times
- Joined: Jul 21, 2015 12:38 pm
- Full Name: Dustin Albertson
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
The permissions listed in the helpcenter & kb3151 should be up to date.
https://www.veeam.com/kb3151
https://helpcenter.veeam.com/docs/backu ... positories
			
			
									
						
							https://www.veeam.com/kb3151
https://helpcenter.veeam.com/docs/backu ... positories
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
			
						- 
				mark49808
- Enthusiast
- Posts: 83
- Liked: 14 times
- Joined: Feb 02, 2017 6:31 pm
- Contact:
[MERGED] S3 Role Assumption
Is it possible to do role assumption with the S3 credentials? Use case - we prefer to centralize our IAM users in a single account and only allow said users to assume roles in other accounts… is it possible for Veeam to do this, possibly with some otherwise hidden registry key?
https://docs.aws.amazon.com/cli/latest/ ... -role.html
			
			
									
						
										
						https://docs.aws.amazon.com/cli/latest/ ... -role.html
- 
				veremin
- Product Manager
- Posts: 20736
- Liked: 2403 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: IAM JSON for AWS S3 Immutable (Object-Lock)
What you can do to keep the number of required permissions to bare minimum is to create IAM policy and assign it to an user. More information regarding it can be found in the referenced KB article. Thanks!
			
			
									
						
										
						Who is online
Users browsing this forum: No registered users and 8 guests