AWS S3 Target Permissions

Permissions required to add S3 as a target to T4K

PreviousCustom Resource Definition - Application NextManagement Console

Last updated 2 months ago

Was this helpful?

AWS S3 Target Permissions

Permissions required to add S3 as a target to T4K

To add AWS S3 (object storage) as a Target within T4K, users need specific access permissions on the bucket.

Implementation Step

Create the following Policy in AWS

Note: replace bucketname with name of the s3 bucket name

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        },
        {
            "Effect": "Deny",
            "NotAction": "s3:*",
            "NotResource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        }
    ]
}

Attach policy to a user and collect the Access key ID ,Secret access key which the user has to provide while adding an AWS target.

Optional: In case an AWS policy has been attached to a bucket then the bucket policy should be as follows:

Note: Alice is user in root account 111122223333

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
            "AWS": [
                    "arn:aws:iam::111122223333:user/Alice",
            ]
            },
            "Action": [                        
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
               ],
            "Resource": [
                "arn:aws:s3:::my_bucket",
                "arn:aws:s3:::my_bucket/*"
            ]
        }
    ]
}

Security Settings:

To perform target browsing, privileged containers are required for both object storage and NFS storage. Refer to the official documentation:
If user has restricted privileged containers across backup and/or restore namespaces. PodSecurityPolicy should be edited to allow privileged containers. Create or edit the PodSecurityPolicy with the necessary privileges. Save this configuration in a YAML file, for example, allow-privileged-psp.yaml:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: allow-privileged
spec:
  privileged: true

Apply or update the PodSecurityPolicy in your cluster:

kubectl apply -f allow-privileged-psp.yaml

Next, create a ClusterRole that allows the use of the PodSecurityPolicy:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: use-allow-privileged-psp
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames: ['allow-privileged']  # Use the name of your PSP

Apply the ClusterRole to your cluster:

kubectl apply -f cluster-role.yaml

Create a ClusterRoleBinding to bind the ClusterRole to the backup-namespace where you want to allow privileged containers:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bind-allow-privileged-psp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: use-allow-privileged-psp  # Use the name of your ClusterRole
subjects:
- kind: ServiceAccount
  name: default  # Use the appropriate ServiceAccount name or account that you want to apply the PSP to
  namespace: backup-namespace  # Specify the target namespace

Apply the ClusterRoleBinding to your cluster:

kubectl apply -f cluster-role-binding.yaml

Make sure to adapt the configuration to your specific use case and security requirements. Please consult your system administrator before updating the PodSecurityPolicy.

PreviousCustom Resource Definition - Application NextManagement Console

Last updated 2 months ago

Was this helpful?

To add AWS S3 (object storage) as a Target within T4K, users need specific access permissions on the bucket.

Implementation Step

Create the following Policy in AWS

Note: replace bucketname with name of the s3 bucket name

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        },
        {
            "Effect": "Deny",
            "NotAction": "s3:*",
            "NotResource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        }
    ]
}

Attach policy to a user and collect the Access key ID ,Secret access key which the user has to provide while adding an AWS target.

Optional: In case an AWS policy has been attached to a bucket then the bucket policy should be as follows:

Note: Alice is user in root account 111122223333

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
            "AWS": [
                    "arn:aws:iam::111122223333:user/Alice",
            ]
            },
            "Action": [                        
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
               ],
            "Resource": [
                "arn:aws:s3:::my_bucket",
                "arn:aws:s3:::my_bucket/*"
            ]
        }
    ]
}

Security Settings:

To perform target browsing, privileged containers are required for both object storage and NFS storage. Refer to the official documentation:
If user has restricted privileged containers across backup and/or restore namespaces. PodSecurityPolicy should be edited to allow privileged containers. Create or edit the PodSecurityPolicy with the necessary privileges. Save this configuration in a YAML file, for example, allow-privileged-psp.yaml:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: allow-privileged
spec:
  privileged: true

Apply or update the PodSecurityPolicy in your cluster:

kubectl apply -f allow-privileged-psp.yaml

Next, create a ClusterRole that allows the use of the PodSecurityPolicy:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: use-allow-privileged-psp
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames: ['allow-privileged']  # Use the name of your PSP

Apply the ClusterRole to your cluster:

kubectl apply -f cluster-role.yaml

Create a ClusterRoleBinding to bind the ClusterRole to the backup-namespace where you want to allow privileged containers:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bind-allow-privileged-psp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: use-allow-privileged-psp  # Use the name of your ClusterRole
subjects:
- kind: ServiceAccount
  name: default  # Use the appropriate ServiceAccount name or account that you want to apply the PSP to
  namespace: backup-namespace  # Specify the target namespace

Apply the ClusterRoleBinding to your cluster:

kubectl apply -f cluster-role-binding.yaml

Make sure to adapt the configuration to your specific use case and security requirements. Please consult your system administrator before updating the PodSecurityPolicy.