将OpsCenter备份到S3用户的IAM策略 [英] IAM Policy for OpsCenter backup to S3 user

问题描述

使用OpsCenter 5.1.0并尝试将S3添加为快照备份的位置. AWS IAM中对opscenter用户有哪些必要权限?到目前为止，我有以下政策:

Using OpsCenter 5.1.0 and trying to add S3 as a location for snapshot backups. What are the necessary permissions in AWS IAM for the opscenter user? So far, I have the following policy:

"Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::cassandra-bkup" ] }, { "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::cassandra-bkup/*" ] } ]

"Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::cassandra-bkup" ] }, { "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::cassandra-bkup/*" ] } ]

，但是备份仍然失败.在opscenterd.log中，看到以下错误:

but backups are still failing. In opscenterd.log, the following error is seen:

WARN: Marking request af93899e-ae89-4ada-8b3b-ef93d0272d61 as failed: {'sstables': {'reporting_test': {u'cards': {'total_size': 9829, 'total_files': 6, 'done_files': 0, 'errors': [u'{:cause :unknown-destination-provider, :message "Specified provider unknown."}', u'{:cause :unknown-destination-provider, :message "Specified provider unknown."}', u'{:cause :unknown-destination-provider, :message "Specified provider unknown."}', u'{:cause :unknown-destination-provider, :message "Specified provider unknown."}', u'{:cause :unknown-destination-provider, :message "Specified provider unknown."}', u'{:cause :unknown-destination-provider, :message "Specified provider unknown."}']},等，等等.

但是，备份到本地服务器成功.

Backup to local server succeeds, however.

推荐答案

经过反复试验，我发现以下策略有效

After some trial and error, I found that the following policy worked

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::prod-bkup" ] }, { "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::prod-bkup/*" ] } ] }

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::prod-bkup" ] }, { "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::prod-bkup/*" ] } ] }

添加了s3:GetBucketAcl作为必需的权限

这篇关于将OpsCenter备份到S3用户的IAM策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！