AWS S3 Target Permissions

Permissions required to add S3 as a target to T4K

To add AWS S3 (object storage) as a Target within T4K, users need specific access permissions on the bucket.

  • Implementation Step

    1. Create the following Policy in AWS

      • Note: replace bucketname with name of the s3 bucket name

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "s3:ListBucket",
                      "s3:PutObject",
                      "s3:GetObject",
                      "s3:DeleteObject"
                  ],
                  "Resource": [
                      "arn:aws:s3:::bucketname",
                      "arn:aws:s3:::bucketname/*"
                  ]
              },
              {
                  "Effect": "Deny",
                  "NotAction": "s3:*",
                  "NotResource": [
                      "arn:aws:s3:::bucketname",
                      "arn:aws:s3:::bucketname/*"
                  ]
              }
          ]
      }
    2. Attach policy to a user and collect the Access key ID ,Secret access key which the user has to provide while adding an AWS target.

    3. Optional: In case an AWS policy has been attached to a bucket then the bucket policy should be as follows:

      • Note: Alice is user in root account 111122223333

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Principal": {
                  "AWS": [
                          "arn:aws:iam::111122223333:user/Alice",
                  ]
                  },
                  "Action": [                        
                      "s3:ListBucket",
                      "s3:PutObject",
                      "s3:GetObject",
                      "s3:DeleteObject"
                     ],
                  "Resource": [
                      "arn:aws:s3:::my_bucket",
                      "arn:aws:s3:::my_bucket/*"
                  ]
              }
          ]
      }
  • Security Settings:

    1. To perform target browsing, privileged containers are required for both object storage and NFS storage. Refer to the official documentation: Pod Security Context

    2. If user has restricted privileged containers across backup and/or restore namespaces. PodSecurityPolicy should be edited to allow privileged containers. Create or edit the PodSecurityPolicy with the necessary privileges. Save this configuration in a YAML file, for example, allow-privileged-psp.yaml:

    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
      name: allow-privileged
    spec:
      privileged: true
    1. Apply or update the PodSecurityPolicy in your cluster:

    kubectl apply -f allow-privileged-psp.yaml
    1. Next, create a ClusterRole that allows the use of the PodSecurityPolicy:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: use-allow-privileged-psp
    rules:
    - apiGroups: ['policy']
      resources: ['podsecuritypolicies']
      verbs: ['use']
      resourceNames: ['allow-privileged']  # Use the name of your PSP
    1. Apply the ClusterRole to your cluster:

    kubectl apply -f cluster-role.yaml
    1. Create a ClusterRoleBinding to bind the ClusterRole to the backup-namespace where you want to allow privileged containers:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: bind-allow-privileged-psp
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: use-allow-privileged-psp  # Use the name of your ClusterRole
    subjects:
    - kind: ServiceAccount
      name: default  # Use the appropriate ServiceAccount name or account that you want to apply the PSP to
      namespace: backup-namespace  # Specify the target namespace
    1. Apply the ClusterRoleBinding to your cluster:

    kubectl apply -f cluster-role-binding.yaml

Make sure to adapt the configuration to your specific use case and security requirements. Please consult your system administrator before updating the PodSecurityPolicy.