Wasabi policy requirements

Hi there!
I can see the period issue being fixed for Amazon S3 but what about Wasabi or S3 compatible connector?
I’m trying to add my bucket (Wasabi) in odrive UI and get rejected… Both connectors… Any idea how I can get this working?
Please note I’m able to mount the bucket using s3fs-fuse on my machine with the same Access Key ID and Secret, so it’s not related to permissions…
Any advice?

Well, nevermind… It appears this is a policy issue I have, not a period issue.
When granting full S3 access it appears to work. I’m not sure what are the required Actions for odrive to work as designed… Any help maybe?

Hey! Thank you for the post, this might probably be added to S3 connector configuration.
I noticed that

{
“Effect”: “Allow”,
“Action”: “s3:ListAllMyBuckets”,
“Resource”: “arn:aws:s3:::*”
}

is not needed in most of the cases.
Also, I noticed this is working fine for S3 compatible connector but this is not working (somehow) with Wasabi connector.
When using wasabi connector I need to grant AmazonS3FullAccess policy to my user, otherwise it’s not working. Using S3/Compatible connector works just fine with current setup (and with previously pasted section removed)

Hi @cazzoo,
Can you provide an example of the policy you are using on Wasabi and I can try to reproduce what you are seeing?

What is interesting is that the Wasabi integration is just using the “S3 compatible” integration with some presets defined, so I am surprised there is a behavioral difference.

Hi @Tony,

Here are the policies I used in IAM of wasabisys:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::caz.mybucket"
    },
    {
      "Effect": "Allow",
      "Action": "s3:*Object",
      "Resource": "arn:aws:s3:::caz.mybucket/*"
    }
  ]
}

Hi @cazzoo,
I’m not able to reproduce what you are seeing.

Here is what I did:

  1. Created a new bucket named tony.test in the us-west-1 region (s3.us-west-1.wasabisys.com)
  2. Created a new user tonytest
  3. Created an IAM policy like the one you posted above for user tonytest
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::tony.test"
    },
    {
      "Effect": "Allow",
      "Action": "s3:*Object",
      "Resource": "arn:aws:s3:::tony.test/*"
    }
  ]
}
  1. Used the tonytest account access-key and secret-key to link the bucket using the Wasabi integration

I was able to link, create new folders, upload, and download to the bucket.

Let me know if I am missing something in my testing.

Hi @cazzoo,
I just wanted to make sure you saw the above. Are you still seeing the same issue?

Hi @Tony ,

Thank you for the time you spent on it to investigate. Today I did try once again and couldn’t reproduce…
Perhaps there were something wrong somewhere in my configuration :confused:

1 Like