Veeam Backup & Replication v12 is capable of writing backups directly to a Object storage. In my lab I use Scality Artesca as my S3-compatible object storage, so I created some new buckets to be used with Veeam. Let’s see how this can be done. The procedure can be useful also for people using different products.
In Artesca
In the object storage sytem I create the two users. I do this so I can reduce as much as possible the permissions to access the two buckets, following the Principle of Least Privilege.
Each user has its own associated Access Key, that I will need to copy for later usage in Veeam.
Then, in the buckets section, I create the two buckets I want to have in my lab:
Note that vcc-d2o-objectlock has Object Lock Retention enabled, to be later used in Veeam for Immutability:
This is the bucket we are going to use.
In the storage I have now to assign permissions to the bucket to the user I created before. This is done – following AWS S3 protocol – by creating a IAM policy and then attaching it to the user.
So, we create a new policy that allows a user to access the S3 bucket with the additional permissions for managing Object Lock:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration",
"s3:ListBucketVersions",
"s3:GetObjectVersion",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectLegalHold",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::vcc-d2o-objectlock",
"arn:aws:s3:::vcc-d2o-objectlock/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*"
}
]
}
note the Resource section: these permissions are only valid when operating on the bucket we created before.
Then I attach the policy to the user by binding the IAM policy:
The storage part is completed.
In Veeam server
In Veeam server I start the wizard to mount a new Object storage, using S3 Compatible option. I fill the service point option with the DNS name of the object storage, and for the credentials I register the accessy key I retrieved before when creating the dedicated user:
We select the appropriate bucket (depending on the IAM policy, you may be able to see all buckets but just capable of accessing the configured one) and we create a folder in it:
As this bucket supports Immutability, we enable the corresponding option in the wizard.:
and we complete the mount process.
The bucket is mounted and ready to be used:
You can see that there is another bucket, that doesn’t use immutability. In case you need it, the IAM policy for a bucket WITHOUT object lock is this one (also available in Veeam KB 3151):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration"
],
"Resource": [
"arn:aws:s3:::vcc-d2o-basic/*",
"arn:aws:s3:::vcc-d2o-basic"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*"
}
]
}