Files

95 lines
3.8 KiB
Markdown

# Wasabi IAM User & Bucket Setup (Verified 2026-07-03)
## IAM User Creation
Create a subuser (IAM-style) in Wasabi console — not root. Root creds go in password manager only.
### Minimal policy
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketVersioning",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketVersioning"
],
"Resource": [
"arn:aws:s3:::bucket-name-1",
"arn:aws:s3:::bucket-name-2",
"arn:aws:s3:::bucket-name-3"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::bucket-name-1/*",
"arn:aws:s3:::bucket-name-2/*",
"arn:aws:s3:::bucket-name-3/*"
]
}
]
}
```
Notes:
- `s3:ListAllMyBuckets` is NOT needed if you pass explicit bucket names
- `s3:CreateBucket` must be on each *exact* bucket ARN — creating a bucket NOT in the policy will be denied
- `s3:PutBucketVersioning` is required to enable versioning via CLI; many minimal policies miss it
- `s3:GetBucketVersioning` for verification
- Wasabi policy changes may take ~30-60s to propagate — retry if `AccessDenied` immediately after updating
### Common pitfalls
- **BucketAlreadyExists**: Wasabi bucket names are globally unique (shared namespace). If a name like `hermes-backups` is taken, try alternatives like `hermes-vps-backups`, `hmb-backups`, or add a company prefix. Update the IAM policy with the new name.
- **Region mismatch errors**: "AuthorizationHeaderMalformed: expecting 'us-east-1'" means the bucket exists in a different region or the CLI is not sending the correct region. Wasabi does NOT use `LocationConstraint` the same way as AWS S3. When creating a bucket, either omit `--create-bucket-configuration` entirely or pass no arguments beyond `--bucket` and `--endpoint-url`.
- **Propagation delay**: After editing a Wasabi IAM policy, some actions may still return `AccessDenied` for up to 60 seconds. Retry before debugging.
- **`s3:PutBucketVersioning` is easily forgotten**: The bucket-resource statement (`s3:ListBucket`, etc.) and the object-resource statement (`s3:GetObject`, etc.) are usually set up correctly. But `s3:PutBucketVersioning` is a separate action on the bucket ARN that's often missed. Without it, `put-bucket-versioning` returns `Access Denied` with a misleading error. Always include it in the first Statement block.
- **`GetBucketLifecycleConfiguration` is NOT supported by Wasabi IAM**: Wasabi's IAM implementation doesn't recognize this action. Including it causes policy validation errors. Wasabi lifecycle policies are configured via the web console only.
- **`ListAllMyBuckets` is NOT supported by Wasabi IAM**: Same as above — omit from policies. Explicit bucket ARNs in `Resource` is the Wasabi-compatible pattern.
## Credential storage
- `~/.aws/credentials`: `chmod 600`, IAM user's access key + secret key
- Wasabi root creds: password manager only, never in ~/.aws/ or Hermes config
## Bucket setup (post-creation)
```bash
# Enable versioning
aws s3api put-bucket-versioning \
--bucket bucket-name \
--versioning-configuration Status=Enabled \
--endpoint-url https://s3.us-east-1.wasabisys.com
# Verify
aws s3api get-bucket-versioning \
--bucket bucket-name \
--endpoint-url https://s3.us-east-1.wasabisys.com
# List objects
aws s3 ls s3://bucket-name/path/ \
--endpoint-url https://s3.us-east-1.wasabisys.com \
--human-readable
```
## Test write
```bash
echo "test-$(date -u +%Y-%m-%dT%H:%M:%SZ)" > /tmp/test-wasabi.txt
aws s3 cp /tmp/test-wasabi.txt s3://bucket-name/test-wasabi.txt \
--endpoint-url https://s3.us-east-1.wasabisys.com
```