我想为 Kasten 设置一个位置配置文件,以便在 AWS 上的 S3 存储桶上执行备份。文档建议向指定执行备份的用户/角色授予最低权限,但在尝试仅使用 IAM 策略中的这些权限添加配置文件时,我不断收到错误消息。 https://docs.kasten.io/latest/usage/configuration.html#profile-creation
当我向用户授予完全 S3 访问权限时,配置文件已正确添加,但我不想这样做。
正确的最低权限是文档中这两页上指定的权限的组合:
您的最小权限策略应如下所示(只需在末尾替换您的存储桶名称):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetBucketObjectLockConfiguration",
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectRetention",
"s3:PutObjectRetention",
"s3:PutBucketPolicy",
"s3:ListBucket",
"s3:DeleteObject",
"s3:DeleteBucketPolicy",
"s3:GetBucketLocation",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::{BUCKET_NAME}",
"arn:aws:s3:::{BUCKET_NAME}/*"
]
}
]
}
从 K10 Helm Chart v6.5.7 开始,Marko 的政策 不再适用于我。
我现在使用以下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketObjectLockConfiguration",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListBucket",
"s3:GetBucketVersioning"
],
"Resource": "arn:aws:s3:::{BUCKET_NAME}"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectRetention",
"s3:AbortMultipartUpload",
"s3:PutObjectRetention",
"s3:DeleteObjectVersion",
"s3:RestoreObject",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts"
],
"Resource": "arn:aws:s3:::{BUCKET_NAME}/*"
}
]
}
将
{BUCKET_NAME}
替换为您的 s3 存储桶的名称。