By using AWS re:Post, you agree to the Terms of Use

Unsupported Action in Policy for S3 Glacier/Veeam

0

Hello,

New person using AWS S3 glacier and I ran across an issue. I am working with Veeam to add an S3 Glacier to my backup. I have the bucket created. I need to add the following to my bucket policy:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "VisualEditor0",
     "Effect": "Allow",
     "Action": [
       "s3:DeleteObject",
       "s3:PutObject",
       "s3:GetObject",
       "s3:RestoreObject",
       "s3:ListBucket",
       "s3:AbortMultipartUpload",
       "s3:GetBucketVersioning",
       "s3:ListAllMyBuckets",
       "s3:GetBucketLocation",
       "s3:GetBucketObjectLockConfiguration",
       "ec2:DescribeInstances",
       "ec2:CreateKeyPair",
       "ec2:DescribeKeyPairs",
       "ec2:RunInstances",
       "ec2:DeleteKeyPair",
       "ec2:DescribeVpcAttribute",
       "ec2:CreateTags",
       "ec2:DescribeSubnets",
       "ec2:TerminateInstances",
       "ec2:DescribeSecurityGroups",
       "ec2:DescribeImages",
       "ec2:DescribeVpcs",
       "ec2:CreateVpc",
       "ec2:CreateSubnet",
       "ec2:DescribeAvailabilityZones",
       "ec2:CreateRoute",
       "ec2:CreateInternetGateway",
       "ec2:AttachInternetGateway",
       "ec2:ModifyVpcAttribute",
       "ec2:CreateSecurityGroup",
       "ec2:DeleteSecurityGroup",
       "ec2:AuthorizeSecurityGroupIngress",
       "ec2:AuthorizeSecurityGroupEgress",
       "ec2:DescribeRouteTables",
       "ec2:DescribeInstanceTypes"
     ],
     "Resource": "*"
   }
 ]
}

Once I put this in, the first error I get is "Missing Principal". So I added "Principal": {}, under SID. But I have no idea what to put in the brackets. I changed it to "*" and that seemed to fix it. Not sure if this the right thing to do?

The next error I get is for all the EC2's and s3:ListAllMyBuckets give me an error of "Unsupported Action in Policy". This is where I get lost. Not sure what else to do. Do I need to open my bucket to public? Is this a permissions issue? Do I have to recreate the bucket and disable object-lock?

Please help.

2 Answers
1

You need to add the policy to the Veeam IAM User that you created not to the bucket policy.

The Veeam Docs for Integration with S3 are a little vague but the Veeam KB article is clearer.

*Note the Docs cover the policy for many different scenarios and the kb article covers just S3 standard but the instructions for applying the policy to an IAM vs S3 is what you were missing.

answered 9 months ago
0

Thanks for the articles. I will see if it works. Im hopeful that it will

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions