Access Permissions for Direct Connection to Object Storage
If you back up data using a direct connection between the Veeam Agent computer and the object storage, access to the object storage will be managed by an API provided by this object storage. Depending on the selected object storage, access permissions are distributed differently. As a result, you must consider different limitations. To learn more, see the following subsections:
- Amazon S3
- Google Cloud Storage
- Microsoft Azure Blob Storage
- IBM Cloud, Wasabi Cloud or other S3 compatible storage
On the Amazon S3 storage side, Veeam Agent backup is performed with the following steps:
- Depending on the backup job mode and the way you added the object storage to your infrastructure, Veeam Backup & Replication performs a certain operation to grant access to the repository in the object storage:
For backup jobs targeted at the Veeam backup repository
- For the following job configurations, Veeam Backup & Replication provides Veeam Agents an access to the repository in the object storage using credentials that were specified during the repository configuration in the following job configurations:
- Backup job managed by the backup server
- Backup policy targeted at the object storage though a gateway
- For the backup policy targeted at the object storage directly, Veeam Backup & Replication creates a user in AWS for each Veeam Agent that backs up to AWS.
For backup jobs targeted at the Cloud Connect repository
- For the following job configurations, Veeam Backup & Replication creates a user in AWS for each tenant:
- Backup job managed by the backup server
- Backup policy targeted at the object storage though a gateway
- For the backup policy targeted at the object storage directly, Veeam Backup & Replication creates a user in AWS for each subtenant.
To learn more about tenants and subtenants, see the Veeam Cloud Connect Guide.
- If applicable, Veeam Backup & Replication assigns a policy to each created user. This policy contains access permissions and allows Veeam Agent access only those backups that were made only by this Veeam Agent.
Keep in mind the following limitations and prerequisites:
- By default, Veeam Backup & Replication assigns an inline policy to the user. All inline policies combined cannot be greater than 2048 symbols. If you reach this limit, Veeam Backup & Replication starts assigning managed policies. All managed policies combined cannot be greater than 6144 symbols. If you reach this limit, refer to the AWS customer support.
- AWS allows to create 1500 managed policies per the AWS account. If you need more policies, refer to the AWS customer support.
- AWS allows to create 5000 users per the AWS account. If you need more users, use another AWS account.
- Consider that user accounts that you use to connect to the Amazon S3 storage have the required permissions. To learn more, see Permissions.
On the Google storage side, Veeam Agent backup is performed with the following steps:
- Depending on the backup job mode and the way you added the object storage to your infrastructure, Veeam Backup & Replication performs a certain operation to grant access to the repository in the object storage:
For backup jobs targeted at the Veeam backup repository
- For the following job configurations, Veeam Backup & Replication provides Veeam Agents an access to the repository in the object storage using credentials that were specified during the repository configuration:
- Backup job managed by the backup server
- Backup policy targeted at the object storage though a gateway
- For the backup policy targeted at the object storage directly, Veeam Backup & Replication creates a user for each Veeam Agent that backs up to Google storage.
For backup jobs targeted at the Cloud Connect repository
- For the following job configurations, Veeam Backup & Replication creates a user in Google Cloud for each tenant:
- Backup job managed by backup server
- Backup policy targeted at the object storage though a gateway
- For the backup policy targeted at the object storage directly, Veeam Backup & Replication creates a user in Google Cloud for each subtenant.
To learn more about tenants and subtenants, see the Veeam Cloud Connect Guide.
- If applicable, Veeam Backup & Replication assigns a policy to each bucket. This policy contains access permissions and allows Veeam Agent access only those backups that were made only by this Veeam Agent.
Keep in mind the following limitations and prerequisites:
- Policies for buckets have a size limit. If you need to increase the limit, refer to the Google customer support.
- Keep in mind that Google allows to create 100 users per the Google account. If you need more users, refer to the Google customer support.
- If you plan to target Veeam Agent backups at the Google Cloud storage using a backup policy, you must configure a Helper Appliance. To learn more, see the Configuring Helper Appliance section in the Veeam Backup & Replication User Guide.
- Consider that user accounts that you use to connect to the Google Cloud storage have the required permissions. To learn more, see Permissions.
Access permissions are granted to Veeam Agents using shared access signatures (SAS).
IBM Cloud, Wasabi Cloud or Other S3 Compatible Storage
Keep in mind the following limitations and prerequisites:
- After you added the S3 compatible object storage, you must configure access permissions manually in the Veeam Backup & Replication console. If you selected the Provided by IAM/STS object storage capabilities option for the object storage, Veeam Backup & Replication will perform the backup operation in the same way as for the Amazon S3 storage.
To learn more, see the Managing Permissions for S3 Compatible Object Storage section in the Veeam Backup & Replication User Guide.
- User accounts that you use to connect to the S3 compatible storage have the required permissions. To learn more, see Permissions.