Access Permissions for Direct Connection to Object Storage

If you back up data using a direct connection between the Veeam Agent computer and the object storage, access to the object storage will be managed by an API provided by this object storage. Depending on the selected object storage, access permissions are distributed differently. As a result, you must consider different limitations. To learn more, see the following subsections:

 

Amazon S3

On the Amazon S3 storage side, Veeam Agent backup is performed with the following steps:

  1. Depending on the backup job mode and the way you added the object storage to your infrastructure, Veeam Backup & Replication performs a certain operation to grant access to the repository in the object storage:

For backup jobs targeted at the Veeam backup repository

For backup jobs targeted at the Cloud Connect repository

To learn more about tenants and subtenants, see the Veeam Cloud Connect Guide.

  1. If applicable, Veeam Backup & Replication assigns a policy to each created user. This policy contains access permissions and allows Veeam Agent access only those backups that were made only by this Veeam Agent.

Keep in mind the following limitations and prerequisites:

  • By default, Veeam Backup & Replication assigns an inline policy to the user. All inline policies combined cannot be greater than 2048 symbols. If you reach this limit, Veeam Backup & Replication starts assigning managed policies. All managed policies combined cannot be greater than 6144 symbols. If you reach this limit, refer to the AWS customer support.
  • AWS allows to create 1500 managed policies per the AWS account. If you need more policies, refer to the AWS customer support.
  • AWS allows to create 5000 users per the AWS account. If you need more users, use another AWS account.
  • Consider that user accounts that you use to connect to the Amazon S3 storage have the required permissions. To learn more, see Permissions.

Google Cloud Storage

On the Google storage side, Veeam Agent backup is performed with the following steps:

  1. Depending on the backup job mode and the way you added the object storage to your infrastructure, Veeam Backup & Replication performs a certain operation to grant access to the repository in the object storage:

For backup jobs targeted at the Veeam backup repository

For backup jobs targeted at the Cloud Connect repository

To learn more about tenants and subtenants, see the Veeam Cloud Connect Guide.

  1. If applicable, Veeam Backup & Replication assigns a policy to each bucket. This policy contains access permissions and allows Veeam Agent access only those backups that were made only by this Veeam Agent.

Keep in mind the following limitations and prerequisites:

  • Policies for buckets have a size limit. If you need to increase the limit, refer to the Google customer support.
  • Keep in mind that Google allows to create 100 users per the Google account. If you need more users, refer to the Google customer support.
  • If you plan to target Veeam Agent backups at the Google Cloud storage using a backup policy, you must configure a Helper Appliance. To learn more, see the Configuring Helper Appliance section in the Veeam Backup & Replication User Guide.
  • Consider that user accounts that you use to connect to the Google Cloud storage have the required permissions. To learn more, see Permissions.

Microsoft Azure Blob Storage

Access permissions are granted to Veeam Agents using shared access signatures (SAS).

IBM Cloud, Wasabi Cloud or Other S3 Compatible Storage

Keep in mind the following limitations and prerequisites:

To learn more, see the Managing Permissions for S3 Compatible Object Storage section in the Veeam Backup & Replication User Guide.

  • User accounts that you use to connect to the S3 compatible storage have the required permissions. To learn more, see Permissions.

Page updated 12/28/2023

Page content applies to build 12.3.0.310