4
Create a S3 Bucket with Object Lock in Scality Artesca for Veeam
source link: https://www.virtualtothecore.com/create-a-s3-bucket-with-object-lock-in-scality-artesca-for-veeam/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Create a S3 Bucket with Object Lock in Scality Artesca for Veeam
Twitter 0
Facebook 0 LinkedIn 0 Email -- Email to a friend 0 Flares
Veeam Backup & Replication v12 is capable of writing backups directly to a Object storage. In my lab I use Scality Artesca as my S3-compatible object storage, so I created some new buckets to be used with Veeam. Let’s see how this can be done. The procedure can be useful also for people using different products.
In Artesca
In the object storage sytem I create the two users. I do this so I can reduce as much as possible the permissions to access the two buckets, following the Principle of Least Privilege.
Each user has its own associated Access Key, that I will need to copy for later usage in Veeam.
Then, in the buckets section, I create the two buckets I want to have in my lab:
Note that vcc-d2o-objectlock has Object Lock Retention enabled, to be later used in Veeam for Immutability:
This is the bucket we are going to use.
In the storage I have now to assign permissions to the bucket to the user I created before. This is done – following AWS S3 protocol – by creating a IAM policy and then attaching it to the user.
So, we create a new policy that allows a user to access the S3 bucket with the additional permissions for managing Object Lock:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration",
"s3:ListBucketVersions",
"s3:GetObjectVersion",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectLegalHold",
"s3:DeleteObjectVersion"
"Resource": [
"arn:aws:s3:::vcc-d2o-objectlock",
"arn:aws:s3:::vcc-d2o-objectlock/*"
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
"Resource": "*"
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration",
"s3:ListBucketVersions",
"s3:GetObjectVersion",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectLegalHold",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::vcc-d2o-objectlock",
"arn:aws:s3:::vcc-d2o-objectlock/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*"
}
]
}note the Resource section: these permissions are only valid when operating on the bucket we created before.
Then I attach the policy to the user by binding the IAM policy:
The storage part is completed.
In Veeam server
In Veeam server I start the wizard to mount a new Object storage, using S3 Compatible option. I fill the service point option with the DNS name of the object storage, and for the credentials I register the accessy key I retrieved before when creating the dedicated user:
We select the appropriate bucket (depending on the IAM policy, you may be able to see all buckets but just capable of accessing the configured one) and we create a folder in it:
As this bucket supports Immutability, we enable the corresponding option in the wizard.:
and we complete the mount process.
The bucket is mounted and ready to be used:
You can see that there is another bucket, that doesn’t use immutability. In case you need it, the IAM policy for a bucket WITHOUT object lock is this one (also available in Veeam KB 3151):
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration"
"Resource": [
"arn:aws:s3:::vcc-d2o-basic/*",
"arn:aws:s3:::vcc-d2o-basic"
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
"Resource": "*"
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration"
],
"Resource": [
"arn:aws:s3:::vcc-d2o-basic/*",
"arn:aws:s3:::vcc-d2o-basic"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*"
}
]
}This entry was posted in Tech and tagged artesca, backup, iam, immutability, object lock, s3, scality, storage, veeam. |
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK