S3 Permissions Required?

  • Resolved smartyp

    (@smartyp)


    5 years, 7 months ago

    Hi,

    Can anyone confirm the minimum specific S3 permissions required for backups via BackWPup? (Or is there a recommended S3 policy… ). Would have thought this would be in the FAQ section but couldn’t find it stated anywhere in the docs.

    Thanks.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Support happyAnt

    (@duongcuong96)

    Hi @smartyp
    From what I understand now, BackWPUp uses the following S3 permissions:

    read
Buckets: s3:ListBucket, s3:ListBucketVersions, and s3:ListBucketMultipartUploads

write:
Buckets: s3:PutObject and s3:DeleteObject

    Hope that may help you ??

    • This reply was modified 5 years, 7 months ago by happyAnt.
    Thread Starter smartyp

    (@smartyp)

    Thanks, that did the trick – was missing ListBucketVersions.

    I recommend you guys put this in the FAQ ??

    Plugin Support happyAnt

    (@duongcuong96)

    Hi @smartyp
    Great to hear that, but could you please describe more detail about your issue?
    I would like to know more about your case before I can suggest our team add S3 permissions to FAQ.
    Thank you ??

    Thread Starter smartyp

    (@smartyp)

    Not really sure what you mean. Anyone using S3 for backups needs to know what permissions they need to allow at the Amazon S3 end. So rather than have people guess until it works (or grant more permissions than necessary) it would help to publish what is required ??

    Plugin Support happyAnt

    (@duongcuong96)

    @smartyp
    Actually, I never got this kind of issue before with AWS S3, so I was curious how you can get the issue? is there a way to reproduce it?
    Thank you!

    Thread Starter smartyp

    (@smartyp)

    How did you set up permissions at the S3 end? A lot of people just add permissions for ‘everything’ which is really not wise for security (or worse, are still using root access keys instead of IAM users).

    So to reproduce, just remove some of the required permissions from the S3 policy. For example (as I experienced) if ListBucketVersions hasn’t been granted then the backup runs, but then fails at the end when it accesses S3.

    I was just wondering the same thing.
    =============================================
    read
    Buckets: s3:ListBucket, s3:ListBucketVersions, and s3:ListBucketMultipartUploads
    write:
    Buckets: s3:PutObject and s3:DeleteObject
    =============================================

    Those 5 permissions are not working for me. I am getting :

    [10-Jul-2019 15:43:34] ERROR: S3 Service API: Access Denied

    Any update on this?

    I found that these minimum permissions worked…are these correct or should I remove some of them?

    “s3:PutObject”,
    “s3:GetObject”,
    “s3:ListBucketMultipartUploads”,
    “s3:AbortMultipartUpload”,
    “s3:ListBucketVersions”,
    “s3:ListBucket”,
    “s3:DeleteObject”,
    “s3:GetBucketLocation”,
    “s3:ListMultipartUploadParts”

    It seems that whenever I removed “GetBucketLocation”, I got a :
    ERROR: S3 Service API: Access Denied

    So DEFINITELY that is needed….but the others? Which can I safely remove?

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘S3 Permissions Required?’ is closed to new replies.