Amazon S3 - Cloud Credentials - Verify Credentials - Access Denied

I

ihr

Dabbler
Joined
Jan 3, 2023
Messages
22
Hi,

I'm trying to configure Truenas SCALE so it periodically clone the content of my backups to the cloud but I'm stuck on the very first step. Adding the credentials.

I enter -> Credentials -> Backup Credentials -> Cloud Credentials and press Add. On the right a panel is opened.

I add the access key and Secret just created.
The user has a policy to access the specific s3 bucket in the "eu-south-2" region.

Window.png


This is the policy that is set to the user (note, the real bucket name has been changed)

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::this-is-not-a-real-bucket-name"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::this-is-not-a-real-bucket-name/*"
}
]
}

When I press the "Verify Credential" button I obtain this error (some characters changed randomly to avoid security issues):

Error: <3>ERROR : : error listing: AccessDenied: Access Denied status code: 403, request id: 9PCHSSSS1Z0N9RY2, host id: B+QND7d9tHxaZa9aJnEhjqJ1bv0+UVohpiOtTZmWh8mdihgzACxDvBQ9OlWtWWE/RYQgmCG3O8g= Failed to lsjson with 2 errors: last error was: error in ListJSON: AccessDenied: Access Denied status code: 403, request id: 9PCHSSSS1Z0N9RY2, host id: B+QND7d9tHxaZa9aJnEhjqJ1bv0+UVohpiOtTZmWh8mdihgzACxDvBQ9OlWtWWE/RYQgmCG3O8g=

What could be wrong?
 
madsci1016

madsci1016

Dabbler
Joined
Dec 31, 2022
Messages
12
ihr said:
Hello there!

@madsci1016 no, for me this functionality is broken
Click to expand...

I got it to work. First issue was time, it took a while for permission changes made in the AWS console to take effect. Notes for you or anyone reading this.

1) Using root access key probably is easiest here, but like the thousands warnings in AWS tell you it's not advised. Use your AWS console to make a new user.
2) Make the new User, (I called mine "server") and generate new keys for that user in AWS.
3) You have to assign this user Permission Policies. See picture.
1688647955409.png

4) Create your bucket in S3 now (NOT S3 Glacier, even if you want to use Glacier).
5) Let it guide you to disabling all public access to the bucket.
6) Now you have to give user permission to the user you created to access this bucket. Click the bucket, then permissions tab. Create this bucket policy. You can use the policy examples/creator to help you, but basically you need to call out the user you created (Principal) the permission (Action, notice i gave it all S3 actions) and the resource (The name of the bucket AND a second line with the name of the bucket/* for file permissions).
1688648397111.png

7) After that wait 15 mins, and test TrueNAS. I was able to push 1TB into Deep Glacier just fine last night (The config in TrueNAS lets you set storage tiers and client side encryption (recommended).
1688648489161.png

(400 Mb upload! Wooo!)

Someone may be able to correct me in fine tunning the access policies to only what you need. But I quit at this once i got it to work.
 
C

cantNAS

Cadet
Joined
Dec 26, 2023
Messages
4
madsci1016 said:
I got it to work. First issue was time, it took a while for permission changes made in the AWS console to take effect. Notes for you or anyone reading this.

1) Using root access key probably is easiest here, but like the thousands warnings in AWS tell you it's not advised. Use your AWS console to make a new user.
2) Make the new User, (I called mine "server") and generate new keys for that user in AWS.
3) You have to assign this user Permission Policies. See picture.
View attachment 68024
4) Create your bucket in S3 now (NOT S3 Glacier, even if you want to use Glacier).
5) Let it guide you to disabling all public access to the bucket.
6) Now you have to give user permission to the user you created to access this bucket. Click the bucket, then permissions tab. Create this bucket policy. You can use the policy examples/creator to help you, but basically you need to call out the user you created (Principal) the permission (Action, notice i gave it all S3 actions) and the resource (The name of the bucket AND a second line with the name of the bucket/* for file permissions).
View attachment 68025
7) After that wait 15 mins, and test TrueNAS. I was able to push 1TB into Deep Glacier just fine last night (The config in TrueNAS lets you set storage tiers and client side encryption (recommended).
View attachment 68026
(400 Mb upload! Wooo!)

Someone may be able to correct me in fine tunning the access policies to only what you need. But I quit at this once i got it to work.
Click to expand...

Thank you for the help with this post. I was able to setup the S3 bucket, policy, IAM user and push backups from trueNAS to the bucket. You mentioned being able to save to S3 Glacier. Could you share on how you were able to do this? At the moment I'm just able to push to Regular S3. Thank you in advance
 
You must log in or register to reply here.

Similar threads

netspear.io
TrueNAS Scale Backup To TrueNAS Scale S3
Replies
0
Views
1K
netspear.io
netspear.io
dvc9
AWS Amazon S3 - Cloud Credentials - add region.
Replies
4
Views
3K
dlavigne
D
Q
Cloud Sync (S3): RequestError: send request failed
Replies
3
Views
2K
Mack Hankins
Mack Hankins
T
  • Locked
Cloud Sync wrong S3 host / location
Replies
1
Views
1K
theringoffire
T
M
Wasabi S3 Cloud Sync Tasks
Replies
1
Views
1K
mro
M
Top