# AWS S3 Target Permissions To add AWS S3 (object storage) as a Target within T4K, users need specific access permissions on the bucket. * **Implementation Step** 1. Create the following Policy in AWS * **Note:** replace `bucketname` with name of the s3 bucket name ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*" ] }, { "Effect": "Deny", "NotAction": "s3:*", "NotResource": [ "arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*" ] } ] } ``` 2. Attach policy to a user and collect the Access key ID ,Secret access key which the user has to provide while adding an AWS target. 3. Optional: In case an AWS policy has been attached to a bucket then the bucket policy should be as follows: * **Note:** `Alice` is user in root account `111122223333` ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:user/Alice", ] }, "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::my_bucket", "arn:aws:s3:::my_bucket/*" ] } ] } ``` * **Security Settings:** **Note:** T4K’s privilege escalation is scoped exclusively to the `trilio-systems` namespace; elevated privileges are not required in other namespaces and is required for the Data Upload and Metadata Upload states. 1. To perform target browsing, privileged containers are required for both object storage and NFS storage.\ Refer to the official documentation:[ Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) 2. If user has restricted privileged containers across backup and/or restore namespaces. PodSecurityPolicy should be edited to allow privileged containers.\ Create or edit the PodSecurityPolicy with the necessary privileges. Save this configuration in a YAML file, for example, `allow-privileged-psp.yaml`: ```yaml apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: allow-privileged spec: privileged: true ``` 3. Apply or update the PodSecurityPolicy in your cluster: ```bash kubectl apply -f allow-privileged-psp.yaml ``` 4. Next, create a ClusterRole that allows the use of the PodSecurityPolicy: ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: use-allow-privileged-psp rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: ['allow-privileged'] # Use the name of your PSP ``` 5. Apply the ClusterRole to your cluster: ```bash kubectl apply -f cluster-role.yaml ``` 6. Create a ClusterRoleBinding to bind the ClusterRole to the `backup-namespace` where you want to allow privileged containers: ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bind-allow-privileged-psp roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: use-allow-privileged-psp # Use the name of your ClusterRole subjects: - kind: ServiceAccount name: default # Use the appropriate ServiceAccount name or account that you want to apply the PSP to namespace: backup-namespace # Specify the target namespace ``` 7. Apply the ClusterRoleBinding to your cluster: ```bash kubectl apply -f cluster-role-binding.yaml ``` {% hint style="info" %} Make sure to adapt the configuration to your specific use case and security requirements. Please consult your system administrator before updating the PodSecurityPolicy. {% endhint %}