# Wasabi IAM User & Bucket Setup (Verified 2026-07-03) ## IAM User Creation Create a subuser (IAM-style) in Wasabi console — not root. Root creds go in password manager only. ### Minimal policy ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutBucketVersioning", "s3:ListBucket", "s3:ListBucketVersions", "s3:GetBucketVersioning" ], "Resource": [ "arn:aws:s3:::bucket-name-1", "arn:aws:s3:::bucket-name-2", "arn:aws:s3:::bucket-name-3" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:PutObject", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::bucket-name-1/*", "arn:aws:s3:::bucket-name-2/*", "arn:aws:s3:::bucket-name-3/*" ] } ] } ``` Notes: - `s3:ListAllMyBuckets` is NOT needed if you pass explicit bucket names - `s3:CreateBucket` must be on each *exact* bucket ARN — creating a bucket NOT in the policy will be denied - `s3:PutBucketVersioning` is required to enable versioning via CLI; many minimal policies miss it - `s3:GetBucketVersioning` for verification - Wasabi policy changes may take ~30-60s to propagate — retry if `AccessDenied` immediately after updating ### Common pitfalls - **BucketAlreadyExists**: Wasabi bucket names are globally unique (shared namespace). If a name like `hermes-backups` is taken, try alternatives like `hermes-vps-backups`, `hmb-backups`, or add a company prefix. Update the IAM policy with the new name. - **Region mismatch errors**: "AuthorizationHeaderMalformed: expecting 'us-east-1'" means the bucket exists in a different region or the CLI is not sending the correct region. Wasabi does NOT use `LocationConstraint` the same way as AWS S3. When creating a bucket, either omit `--create-bucket-configuration` entirely or pass no arguments beyond `--bucket` and `--endpoint-url`. - **Propagation delay**: After editing a Wasabi IAM policy, some actions may still return `AccessDenied` for up to 60 seconds. Retry before debugging. - **`s3:PutBucketVersioning` is easily forgotten**: The bucket-resource statement (`s3:ListBucket`, etc.) and the object-resource statement (`s3:GetObject`, etc.) are usually set up correctly. But `s3:PutBucketVersioning` is a separate action on the bucket ARN that's often missed. Without it, `put-bucket-versioning` returns `Access Denied` with a misleading error. Always include it in the first Statement block. - **`GetBucketLifecycleConfiguration` is NOT supported by Wasabi IAM**: Wasabi's IAM implementation doesn't recognize this action. Including it causes policy validation errors. Wasabi lifecycle policies are configured via the web console only. - **`ListAllMyBuckets` is NOT supported by Wasabi IAM**: Same as above — omit from policies. Explicit bucket ARNs in `Resource` is the Wasabi-compatible pattern. ## Credential storage - `~/.aws/credentials`: `chmod 600`, IAM user's access key + secret key - Wasabi root creds: password manager only, never in ~/.aws/ or Hermes config ## Bucket setup (post-creation) ```bash # Enable versioning aws s3api put-bucket-versioning \ --bucket bucket-name \ --versioning-configuration Status=Enabled \ --endpoint-url https://s3.us-east-1.wasabisys.com # Verify aws s3api get-bucket-versioning \ --bucket bucket-name \ --endpoint-url https://s3.us-east-1.wasabisys.com # List objects aws s3 ls s3://bucket-name/path/ \ --endpoint-url https://s3.us-east-1.wasabisys.com \ --human-readable ``` ## Test write ```bash echo "test-$(date -u +%Y-%m-%dT%H:%M:%SZ)" > /tmp/test-wasabi.txt aws s3 cp /tmp/test-wasabi.txt s3://bucket-name/test-wasabi.txt \ --endpoint-url https://s3.us-east-1.wasabisys.com ```