Hi,
What are the recommended/minimal AWS S3 privileges for Otto FMS’ Offsite Backups feature? I’d prefer to avoid granting full access privileges for the AWS Access Key, if at all possible. I was not able to find this information in the docs.
Thanks!
Hey Nick,
Welcome to the community! OttoFMS uses the following AWS permissions to do file transfers to AWS storage:
ListBucketDeleteObjectGetObjectPutObjectPutObjectACLCreateBucketI would also recommend the ListAllMyBuckets permission, as that allows OttoFMS to give you a list of buckets to choose from when creating offsite schedules. Without this you will need to enter a full path when adding an offsite location and manually enter the bucket when creating a schedule.
I’ll add this list to the docs as well. Let me know if you have any issues with these!
-Kyle
Hi Kyle,
My client’s org has restricted their access so they can only write to and delete from existing buckets. Since ListAllMyBuckets is already optional (though recommended), is it possible for the CreateBucket permission to be optional as well?
When I set the endpoint as (bucket-name).s3.(region).amazonaws.com, and provide values for the optional Bucket and Remote folder, I’m able to successfully “Test” the configuration. However, when I try to save it I get the following error:
Error: OttoFMS API Error: Invalid connection information: Unable to list buckets, please supply a bucket name and remote path to verify access: No buckets found. HTTP Status Code: 400.
When I set the endpoint as s3.(region).amazonaws.com, provide values for the optional Bucket and Remote folder, and try to “Test” the configuration, I get the following error:
Connection failed! Error connecting to remote location: Failed to copy: failed to prepare upload: operation error S3: CreateBucket, https response error StatusCode: 403, RequestID: XXX, HostID: XXX, api error AccessDenied: User: arn:aws:iam::XXXX is not authorized to perform: s3:CreateBucket on resource: “arn:aws:s3:::BUCKET-NAME” because no identity-based policy allows the s3:CreateBucket action
Regards,
Michael
Hey Michael,
This is a requirement by the underlying library that we are using to do the file copying. I think there is a way we could work around it, I’ll take a look at our setup and see if I can get a workaround into one of our future versions. Thanks for the request!
-Kyle
Hey Michael,
I forgot to mention this, but there is a way to fix this immediately. If you have access to the server you can edit the rclone.conf file in the config directory in your OttoFMS application folder.
Your offsite location should look something like this in that file:
[offsite]
type = s3
provider = Other
access_key_id = access_key
endpoint = offsite.offsite.com/
region = us-east-1
env_auth = false
acl = private
server_side_encryption =
storage_class =
location_constraint =
secret_access_key = my_secret_here
If you add no_check_bucket = true as another line to that, it should stop needing the Create Bucket permission. Let me know if that doesn’t work for you!
I’m also going to get this into our next version of OttoFMS if you’d rather wait for that.
-Kyle