Files
hermes-skills/skills/devops/infrastructure-automation/references/wasabi-iam-setup.md
T

3.8 KiB

Wasabi IAM User & Bucket Setup (Verified 2026-07-03)

IAM User Creation

Create a subuser (IAM-style) in Wasabi console — not root. Root creds go in password manager only.

Minimal policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:PutBucketVersioning",
        "s3:ListBucket",
        "s3:ListBucketVersions",
        "s3:GetBucketVersioning"
      ],
      "Resource": [
        "arn:aws:s3:::bucket-name-1",
        "arn:aws:s3:::bucket-name-2",
        "arn:aws:s3:::bucket-name-3"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::bucket-name-1/*",
        "arn:aws:s3:::bucket-name-2/*",
        "arn:aws:s3:::bucket-name-3/*"
      ]
    }
  ]
}

Notes:

  • s3:ListAllMyBuckets is NOT needed if you pass explicit bucket names
  • s3:CreateBucket must be on each exact bucket ARN — creating a bucket NOT in the policy will be denied
  • s3:PutBucketVersioning is required to enable versioning via CLI; many minimal policies miss it
  • s3:GetBucketVersioning for verification
  • Wasabi policy changes may take ~30-60s to propagate — retry if AccessDenied immediately after updating

Common pitfalls

  • BucketAlreadyExists: Wasabi bucket names are globally unique (shared namespace). If a name like hermes-backups is taken, try alternatives like hermes-vps-backups, hmb-backups, or add a company prefix. Update the IAM policy with the new name.
  • Region mismatch errors: "AuthorizationHeaderMalformed: expecting 'us-east-1'" means the bucket exists in a different region or the CLI is not sending the correct region. Wasabi does NOT use LocationConstraint the same way as AWS S3. When creating a bucket, either omit --create-bucket-configuration entirely or pass no arguments beyond --bucket and --endpoint-url.
  • Propagation delay: After editing a Wasabi IAM policy, some actions may still return AccessDenied for up to 60 seconds. Retry before debugging.
  • s3:PutBucketVersioning is easily forgotten: The bucket-resource statement (s3:ListBucket, etc.) and the object-resource statement (s3:GetObject, etc.) are usually set up correctly. But s3:PutBucketVersioning is a separate action on the bucket ARN that's often missed. Without it, put-bucket-versioning returns Access Denied with a misleading error. Always include it in the first Statement block.
  • GetBucketLifecycleConfiguration is NOT supported by Wasabi IAM: Wasabi's IAM implementation doesn't recognize this action. Including it causes policy validation errors. Wasabi lifecycle policies are configured via the web console only.
  • ListAllMyBuckets is NOT supported by Wasabi IAM: Same as above — omit from policies. Explicit bucket ARNs in Resource is the Wasabi-compatible pattern.

Credential storage

  • ~/.aws/credentials: chmod 600, IAM user's access key + secret key
  • Wasabi root creds: password manager only, never in ~/.aws/ or Hermes config

Bucket setup (post-creation)

# Enable versioning
aws s3api put-bucket-versioning \
  --bucket bucket-name \
  --versioning-configuration Status=Enabled \
  --endpoint-url https://s3.us-east-1.wasabisys.com

# Verify
aws s3api get-bucket-versioning \
  --bucket bucket-name \
  --endpoint-url https://s3.us-east-1.wasabisys.com

# List objects
aws s3 ls s3://bucket-name/path/ \
  --endpoint-url https://s3.us-east-1.wasabisys.com \
  --human-readable

Test write

echo "test-$(date -u +%Y-%m-%dT%H:%M:%SZ)" > /tmp/test-wasabi.txt
aws s3 cp /tmp/test-wasabi.txt s3://bucket-name/test-wasabi.txt \
  --endpoint-url https://s3.us-east-1.wasabisys.com