将OpsCenter备份到S3用户的IAM策略 [英] IAM Policy for OpsCenter backup to S3 user
问题描述
使用OpsCenter 5.1.0并尝试将S3添加为快照备份的位置. AWS IAM中对opscenter用户有哪些必要权限?到目前为止,我有以下政策:
Using OpsCenter 5.1.0 and trying to add S3 as a location for snapshot backups. What are the necessary permissions in AWS IAM for the opscenter user? So far, I have the following policy:
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::cassandra-bkup"
]
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::cassandra-bkup/*"
]
}
]
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::cassandra-bkup"
]
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::cassandra-bkup/*"
]
}
]
,但是备份仍然失败.在opscenterd.log中,看到以下错误:
but backups are still failing. In opscenterd.log, the following error is seen:
WARN: Marking request af93899e-ae89-4ada-8b3b-ef93d0272d61 as failed: {'sstables': {'reporting_test': {u'cards': {'total_size': 9829, 'total_files': 6, 'done_files': 0, 'errors': [u'{:cause :unknown-destination-provider, :message "Specified provider unknown."}', u'{:cause :unknown-destination-provider, :message "Specified provider unknown."}', u'{:cause :unknown-destination-provider, :message "Specified provider unknown."}', u'{:cause :unknown-destination-provider, :message "Specified provider unknown."}', u'{:cause :unknown-destination-provider, :message "Specified provider unknown."}', u'{:cause :unknown-destination-provider, :message "Specified provider unknown."}']},
等,等等.
但是,备份到本地服务器成功.
Backup to local server succeeds, however.
推荐答案
经过反复试验,我发现以下策略有效
After some trial and error, I found that the following policy worked
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::prod-bkup"
]
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::prod-bkup/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::prod-bkup"
]
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::prod-bkup/*"
]
}
]
}
添加了s3:GetBucketAcl
作为必需的权限
这篇关于将OpsCenter备份到S3用户的IAM策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!