Open lcgkm opened 6 years ago
Can you provide your configuration and if possible IAM policy? If you're using KMS or some of the other options it may affect the permissions required. It does require put, get, list, and delete on the specified key prefix.
My IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"s3:ListObjects"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
],
"Resource": [
"arn:aws:s3:::consul-backup/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::consul-backup"
]
}
]
}
If you're using KMS or some of the other options it may affect the permissions required.
No, I don't use KMS. But what other options for consul snapshot? Can you share some details for this?
I lost "s3:ListBucketVersions" https://www.consul.io/docs/commands/snapshot/agent.html
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::consul-data/consul-snapshots/consul-*.snap" }, { "Sid": "", "Effect": "Allow", "Action": [ "s3:ListBucketVersions", "s3:ListBucket" ], "Resource": "arn:aws:s3:::consul-data" } ] }
@lcgkm, did you figure out what was the issue that is causing this? I'm sure folks who gone through the same issue would like to know as well.
@lcgkm, did you figure out what was the issue that is causing this? I'm sure folks who gone through the same issue would like to know as well.
I lost "s3:ListBucketVersions" Please check the example IAM policy document from: https://www.consul.io/docs/commands/snapshot/agent.html
For others that land here via Google, I had the same issue but for me it was caused by using a KMS key for S3 encryption. The relevant IAM policy addition was this:
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:<region>:<key_identifier>"
]
}
Since I had snapshot rotation disabled, the only other permission I needed was s3:PutObject
.
Thanks @jmariondev we should probably add a note about KMS to the docs given it may happen again.
Currently, we setup a consul snapshot agent to backup our consul data. But we found following error message:
Our target S3 Bucket Permissions is:
But we can see the snapshot files have uploaded to aws s3. Why I still get error message?
Maybe our target S3 Bucket Permissions not enough? Should we assign some other s3 permissions to our target S3 Bucket?