# AWS S3 Target Permissions To add AWS S3 (object storage) as a Target within T4K, users need specific access permissions on the bucket. * **Implementation Step** 1. Create the following Policy in AWS * **Note:** replace `bucketname` with name of the s3 bucket name ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*" ] }, { "Effect": "Deny", "NotAction": "s3:*", "NotResource": [ "arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*" ] } ] } ``` 2. Attach policy to a user and collect the Access key ID ,Secret access key which the user has to provide while adding an AWS target. 3. Optional: In case an AWS policy has been attached to a bucket then the bucket policy should be as follows: * **Note:** `Alice` is user in root account `111122223333` ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:user/Alice", ] }, "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::my_bucket", "arn:aws:s3:::my_bucket/*" ] } ] } ``` * **Security Settings:** 1. To perform target browsing, privileged containers are required for both object storage and NFS storage. \ Refer to the official documentation:[ Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) 2. If user has restricted privileged containers across backup and/or restore namespaces. PodSecurityPolicy should be edited to allow privileged containers.\ Create or edit the PodSecurityPolicy with the necessary privileges. Save this configuration in a YAML file, for example, `allow-privileged-psp.yaml`: ```yaml apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: allow-privileged spec: privileged: true ``` 3. Apply or update the PodSecurityPolicy in your cluster: ```bash kubectl apply -f allow-privileged-psp.yaml ``` 4. Next, create a ClusterRole that allows the use of the PodSecurityPolicy: ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: use-allow-privileged-psp rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: ['allow-privileged'] # Use the name of your PSP ``` 5. Apply the ClusterRole to your cluster: ```bash kubectl apply -f cluster-role.yaml ``` 6. Create a ClusterRoleBinding to bind the ClusterRole to the `backup-namespace` where you want to allow privileged containers: ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bind-allow-privileged-psp roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: use-allow-privileged-psp # Use the name of your ClusterRole subjects: - kind: ServiceAccount name: default # Use the appropriate ServiceAccount name or account that you want to apply the PSP to namespace: backup-namespace # Specify the target namespace ``` 7. Apply the ClusterRoleBinding to your cluster: ```bash kubectl apply -f cluster-role-binding.yaml ``` {% hint style="info" %} Make sure to adapt the configuration to your specific use case and security requirements. Please consult your system administrator before updating the PodSecurityPolicy. {% endhint %}