Permissions

For general requirements for permissions that must be provided to the user account to install and work with Veeam Backup & Replication, see the Permissions section in the Veeam Backup & Replication User Guide. In addition to general port requirements, the permissions listed below must be provided for the Veeam Agent management scenarios.

If you plan to use object storage in the Veeam Agent management infrastructure, make sure user accounts that you plan to use have the required permissions. Keep in mind that depending on the functionality that you use, the list of required permissions differ. Make sure user accounts have permissions described for the following scenarios:

Backing Up Cloud Machines

The list of permissions differs depending on the type of the cloud machine you plan to back up:

If you plan to back up Microsoft Azure virtual machines, all required permissions are assigned when you add a Microsoft Azure Compute account to Veeam Backup & Replication. To learn more, see the Creating New Azure AD Application section in the Veeam Backup & Replication User Guide.

  • Amazon EC2 instances

If you plan to back up Amazon EC2 instances, make sure the user account that you plan to use have the following permissions:

{
 "ssm:SendCommand",
 "ssm:DescribeInstanceInformation",
 "ssm:UpdateManagedInstanceRole",
 "ssm:GetCommandInvocation",
 "iam:GetRole",
 "iam:PassRole",
 "iam:AddRoleToInstanceProfile",
 "iam:CreateRole",
 "iam:CreateInstanceProfile",
 "iam:AttachRolePolicy",
 "iam:SimulatePrincipalPolicy",
 "ec2:DescribeInstances",
 "ec2:AssociateIamInstanceProfile",
 "ec2:DescribeIamInstanceProfileAssociations",
 "sqs:*"
}

Backing Up to Object Storage

Besides the general permissions listed in the Using Object Storage Repositories section in the Veeam Backup & Replication User Guide, some additional permissions are required for object storage in the Veeam Agent management infrastructure. The list of required permissions differs depending on the selected object storage and the way you set your backup infrastructure. To learn more, see the following subsections:

Amazon S3 or S3 Compatible Storage (Including IBM Cloud, Wasabi Cloud)

Consider the following:

The list of permissions below is required for the following configurations:

  • You plan to back up data to the Amazon S3 storage.
  • You selected direct connection in the object storage settings. To learn more, see the Adding Amazon S3 Object Storage section in the Veeam Backup & Replication User Guide.

or

  • You plan to back up data to the S3 compatible storage.
  • Direct connection is selected in the object storage settings. To learn more, see the Specify Object Storage Account section in the Veeam Backup & Replication User Guide.

If you plan to back up data using one of the configurations above, make sure the user account that you use to connect to the object storage have the following permissions:

{
 "iam:GetPolicyVersion",
 "iam:DeleteAccessKey",
 "iam:GetPolicy",
 "iam:AttachUserPolicy",
 "iam:DeleteUserPolicy",
 "iam:DeletePolicy",
 "iam:DeleteUser",
 "iam:ListUserPolicies",
 "iam:CreateUser",
 "iam:TagUser",
 "iam:CreateAccessKey",
 "iam:CreatePolicy",
 "iam:ListPolicyVersions",
 "iam:GetUserPolicy",
 "iam:PutUserPolicy",
 "iam:ListAttachedUserPolicies",
 "iam:GetUser",
 "iam:CreatePolicyVersion",
 "iam:DetachUserPolicy",
 "iam:DeletePolicyVersion",
 "iam:ListAccessKeys",
 "iam:SetDefaultPolicyVersion"
}

 

 

Google Cloud

The list of permissions below is required for the following configurations:

If you plan to back up data using the configuration above, make sure the user account that you specify in the Helper Appliance settings have the following permissions:

(
 "iam.serviceAccounts.create",
 "iam.serviceAccounts.delete",
 "iam.serviceAccounts.get",
 "storage.buckets.get",
 "storage.buckets.getIamPolicy",
 "storage.buckets.list",
 "storage.buckets.setIamPolicy",
 "storage.hmacKeys.create",
 "storage.objects.create",
 "storage.objects.delete",
 "storage.objects.get",
 "storage.objects.list",
 "iam.serviceAccounts.list",
 "storage.buckets.update",
 "storage.hmacKeys.delete",
 "storage.hmacKeys.list"
}