95 lines
3.8 KiB
Markdown
95 lines
3.8 KiB
Markdown
# Wasabi IAM User & Bucket Setup (Verified 2026-07-03)
|
|
|
|
## IAM User Creation
|
|
|
|
Create a subuser (IAM-style) in Wasabi console — not root. Root creds go in password manager only.
|
|
|
|
### Minimal policy
|
|
|
|
```json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:CreateBucket",
|
|
"s3:PutBucketVersioning",
|
|
"s3:ListBucket",
|
|
"s3:ListBucketVersions",
|
|
"s3:GetBucketVersioning"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::bucket-name-1",
|
|
"arn:aws:s3:::bucket-name-2",
|
|
"arn:aws:s3:::bucket-name-3"
|
|
]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:GetObject",
|
|
"s3:GetObjectVersion",
|
|
"s3:PutObject",
|
|
"s3:DeleteObject",
|
|
"s3:DeleteObjectVersion"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::bucket-name-1/*",
|
|
"arn:aws:s3:::bucket-name-2/*",
|
|
"arn:aws:s3:::bucket-name-3/*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
Notes:
|
|
- `s3:ListAllMyBuckets` is NOT needed if you pass explicit bucket names
|
|
- `s3:CreateBucket` must be on each *exact* bucket ARN — creating a bucket NOT in the policy will be denied
|
|
- `s3:PutBucketVersioning` is required to enable versioning via CLI; many minimal policies miss it
|
|
- `s3:GetBucketVersioning` for verification
|
|
- Wasabi policy changes may take ~30-60s to propagate — retry if `AccessDenied` immediately after updating
|
|
|
|
### Common pitfalls
|
|
|
|
- **BucketAlreadyExists**: Wasabi bucket names are globally unique (shared namespace). If a name like `hermes-backups` is taken, try alternatives like `hermes-vps-backups`, `hmb-backups`, or add a company prefix. Update the IAM policy with the new name.
|
|
- **Region mismatch errors**: "AuthorizationHeaderMalformed: expecting 'us-east-1'" means the bucket exists in a different region or the CLI is not sending the correct region. Wasabi does NOT use `LocationConstraint` the same way as AWS S3. When creating a bucket, either omit `--create-bucket-configuration` entirely or pass no arguments beyond `--bucket` and `--endpoint-url`.
|
|
- **Propagation delay**: After editing a Wasabi IAM policy, some actions may still return `AccessDenied` for up to 60 seconds. Retry before debugging.
|
|
- **`s3:PutBucketVersioning` is easily forgotten**: The bucket-resource statement (`s3:ListBucket`, etc.) and the object-resource statement (`s3:GetObject`, etc.) are usually set up correctly. But `s3:PutBucketVersioning` is a separate action on the bucket ARN that's often missed. Without it, `put-bucket-versioning` returns `Access Denied` with a misleading error. Always include it in the first Statement block.
|
|
- **`GetBucketLifecycleConfiguration` is NOT supported by Wasabi IAM**: Wasabi's IAM implementation doesn't recognize this action. Including it causes policy validation errors. Wasabi lifecycle policies are configured via the web console only.
|
|
- **`ListAllMyBuckets` is NOT supported by Wasabi IAM**: Same as above — omit from policies. Explicit bucket ARNs in `Resource` is the Wasabi-compatible pattern.
|
|
|
|
## Credential storage
|
|
|
|
- `~/.aws/credentials`: `chmod 600`, IAM user's access key + secret key
|
|
- Wasabi root creds: password manager only, never in ~/.aws/ or Hermes config
|
|
|
|
## Bucket setup (post-creation)
|
|
|
|
```bash
|
|
# Enable versioning
|
|
aws s3api put-bucket-versioning \
|
|
--bucket bucket-name \
|
|
--versioning-configuration Status=Enabled \
|
|
--endpoint-url https://s3.us-east-1.wasabisys.com
|
|
|
|
# Verify
|
|
aws s3api get-bucket-versioning \
|
|
--bucket bucket-name \
|
|
--endpoint-url https://s3.us-east-1.wasabisys.com
|
|
|
|
# List objects
|
|
aws s3 ls s3://bucket-name/path/ \
|
|
--endpoint-url https://s3.us-east-1.wasabisys.com \
|
|
--human-readable
|
|
```
|
|
|
|
## Test write
|
|
|
|
```bash
|
|
echo "test-$(date -u +%Y-%m-%dT%H:%M:%SZ)" > /tmp/test-wasabi.txt
|
|
aws s3 cp /tmp/test-wasabi.txt s3://bucket-name/test-wasabi.txt \
|
|
--endpoint-url https://s3.us-east-1.wasabisys.com
|
|
```
|