S3 subfolder - forced to grant access to entire bucket in order to backup


#1

Hello,

I’m unable to backup files to S3 using SQLBAF (Test conn fails with 403) after restricting access permissions to specific subdir. At the same time, the same policy is enough and works fine for any desktop AWS S3 client (e.g. CloudBerry, S3 Browser).

Please take a look at this simple policy below. Without “condition” section it works great (test conn+backup job) but unfortunatelly user has access to parent dir and all subdirs. After adding “condidion” it stops working for SQLBAF (but works great for other S3 clients).

Why SQLBAF needs access to parent directory? How to workaround this?

Directory tree:

  • xyz-internal (bucket)
    / . . . backups-abc
    / . . . backups-def
    / . . . backups-ghi

Required actions in subfolder "backups-abc: list + put + get + del.

{
. . . “Version”: “2012-10-17”,
. . . “Statement”: [
. . . {
. . . . . . “Sid”: “BucketOperations”,
. . . . . . “Effect”: “Allow”,
. . . . . . “Action”: [
. . . . . . . . . “s3:ListBucket”,
. . . . . . . . . “s3:ListBucketMultipartUploads”,
. . . . . . . . . “s3:GetBucketLocation”
. . . . . . ],
. . . . . . “Resource”: “arn:aws:s3:::xyz-internal”,
. . . . . . “Condition”: {
. . . . . . . . . “StringLike”: {
. . . . . . . . . . . . “s3:prefix”: "backups-abc/*"
. . . . . . . . . }
. . . . . . }
. . . },
. . . {
. . . . . . “Sid”: “FilesOperations”,
. . . . . . “Effect”: “Allow”,
. . . . . . “Action”: [
. . . . . . . . . “s3:PutObject”,
. . . . . . . . . “s3:GetObject”,
. . . . . . . . . “s3:DeleteObject”,
. . . . . . . . . “s3:AbortMultipartUpload”,
. . . . . . . . . “s3:ListMultipartUploadParts”
. . . . . . ],
. . . . . . “Resource”: “arn:aws:s3:::xyz-internal/backups-abc/*”
. . . }]
}


#2

Hello jankowicz,

Thanks for the details. We have not faced this issue before, please give us some time to investigate this case.

Sorry for the inconvenience.


#3

Hello jankowicz,

We have checked this issue. The problem happens because of GetBucketLocation request we send. We send this request to make sure that the backup exists (if it doesn’t, SQLBackupAndFTP creates it). We’ll add processing in the case if the “forbidden” state returns, then we’ll consider that a backup exists, and use it further.

Sorry for the inconvenience.


#4

Thank you for your intrest. Ok, so as I understand the only solution now is to change S3 policy and wait till new version of SQLBAF will be released. Eh, will have to update my old licence :slight_smile:

Thx and cheers.


#5

Hello jankowicz,

We have added some changes to SQLBackupAndFTP Alpha version https://sqlbackupandftp.com/download/alpha that should fix the issue. Could you please install it and check if it works?

Sorry for the inconvenience.