Hello,
I’m unable to backup files to S3 using SQLBAF (Test conn fails with 403) after restricting access permissions to specific subdir. At the same time, the same policy is enough and works fine for any desktop AWS S3 client (e.g. CloudBerry, S3 Browser).
Please take a look at this simple policy below. Without “condition” section it works great (test conn+backup job) but unfortunatelly user has access to parent dir and all subdirs. After adding “condidion” it stops working for SQLBAF (but works great for other S3 clients).
Why SQLBAF needs access to parent directory? How to workaround this?
Directory tree:
- xyz-internal (bucket)
/ . . . backups-abc
/ . . . backups-def
/ . . . backups-ghi
Required actions in subfolder "backups-abc: list + put + get + del.
{
. . . “Version”: “2012-10-17”,
. . . “Statement”: [
. . . {
. . . . . . “Sid”: “BucketOperations”,
. . . . . . “Effect”: “Allow”,
. . . . . . “Action”: [
. . . . . . . . . “s3:ListBucket”,
. . . . . . . . . “s3:ListBucketMultipartUploads”,
. . . . . . . . . “s3:GetBucketLocation”
. . . . . . ],
. . . . . . “Resource”: “arn:aws:s3:::xyz-internal”,
. . . . . . “Condition”: {
. . . . . . . . . “StringLike”: {
. . . . . . . . . . . . “s3:prefix”: "backups-abc/*"
. . . . . . . . . }
. . . . . . }
. . . },
. . . {
. . . . . . “Sid”: “FilesOperations”,
. . . . . . “Effect”: “Allow”,
. . . . . . “Action”: [
. . . . . . . . . “s3:PutObject”,
. . . . . . . . . “s3:GetObject”,
. . . . . . . . . “s3:DeleteObject”,
. . . . . . . . . “s3:AbortMultipartUpload”,
. . . . . . . . . “s3:ListMultipartUploadParts”
. . . . . . ],
. . . . . . “Resource”: “arn:aws:s3:::xyz-internal/backups-abc/*”
. . . }]
}