How do I use Wasabi IAM and STS Authentication with Veeam v13?
Wasabi is a member of Veeam's cloud partner ecosystem. We have worked closely with Veeam to offer both a seamless implementation and a smooth transition to cloud storage. Veeam with Wasabi Solution Overview provides more information on the Wasabi-Veeam partnership and solutions. Veeam's Backup and Replication software version 13 provides direct to Wasabi object storage functionality for backup and backup copy jobs.
This article provides the procedure to utilize Wasabi’s Identity and Access Management (IAM) service and Security Token Service (STS) for authentication so Veeam can access your Wasabi data . Wasabi’s STS is a service that lets a client such as Veeam create temporary credentials for an IAM user to access your Wasabi resources.
The data restoration process is handled by your specific backup software application. As there are many potential variables that will affect your unique environment, Wasabi strongly recommends that you seek the guidance of your backup software's technical support team in the event that you encounter difficulty or have application-specific inquiries.
If you are going to leverage immutable Veeam backups, follow the steps in Object Lock: Enabling. Enabling bucket versioning only is not a proper configuration for immutable Veeam backups and can cause problems. If you are simply going to use regular Veeam backups with Wasabi buckets, bucket versioning is not required.
Prerequisites
Active Wasabi Storage account.
Wasabi bucket created. Using Object Lock on your bucket is highly recommended from a security perspective so your data will be immutable for the amount of time configured in Veeam. Object Lock protects your data against malicious or accidental deletion. For more information, review Working With Buckets and Objects.
Veeam Backup and Replication version 13 software installed and licensed. This solution was most recently tested with v13.0.1.
A valid Veeam license that supports capabilities for object storage.
Virtual machines to be backed up added to the Veeam B&R application.
Since the Veeam web user interface (UI) does not yet support creating object storage repositories, you must use the Veeam Windows client. If you’re using the Veeam Software Appliance, this is downloadable from your Veeam Software Appliance login page by clicking “Download Windows-based backup console for full experience” as shown in the following screenshot.
One Linux-based virtual machine (VM) runs the Veeam Software Appliance, and another Windows-based VM (or any Windows computer) runs the client software.
.png)
Creating Wasabi Policies
In Veeam version 13, Veeam Backup and Replication software can backup to Wasabi cloud object storage utilizing IAM and STS authentication. The first step is to create Wasabi policies to restrict access to your Veeam data.
Log in to the Wasabi Console.
Click Policies and then Create Policy.
Give the policy a name.
Paste the following policy into the policy editor. Replace YOUR_BUCKET_NAME with the name of your bucket that will be used for Veeam data.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketVersioning", "s3:GetBucketObjectLockConfiguration", "s3:ListBucketVersions", "s3:GetObjectVersion", "s3:GetObjectRetention", "s3:GetObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectLegalHold", "s3:DeleteObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET_NAME/*", "arn:aws:s3:::YOUR_BUCKET_NAME" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket" ], "Resource": "*" } ] }Click Create Policy.
Create another policy with a name such as “VeeamIamPolicy” by pasting the following into the policy editor. Replace YOUR_ACCOUNT_NUMBER with your account ID that can be found under Settings in the Wasabi Console. The “veeam” user referenced in the policy will be created next.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachUserPolicy", "iam:CreateAccessKey", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateUser", "iam:DeleteAccessKey", "iam:DeletePolicy", "iam:DeleteUser", "iam:DeleteUserPolicy", "iam:DeletePolicyVersion", "iam:DetachUserPolicy", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetUser", "iam:GetUserPolicy", "iam:ListAccessKeys", "iam:ListAttachedUserPolicies", "iam:ListPolicyVersions", "iam:ListGroupsForUser", "iam:ListUserPolicies", "iam:PutUserPolicy", "iam:AddUserToGroup", "iam:RemoveUserFromGroup", "iam:SetDefaultPolicyVersion", "sts:GetCallerIdentity", "sts:AssumeRole" ], "Resource": "arn:aws:iam::YOUR_ACCOUNT_NUMBER:user/veeam" } ] }
Creating a Wasabi User
In the Wasabi Console, click Users, then click Create User.
Name the user “veeam”, give them Programmatic access, and click Next.
It is not necessary to assign the user to a group. Click Next.
Select the two previously created policies from the drop-down menu by clicking them one at a time. They will appear at the bottom of the window.
After the two policies are attached to the user, click Next.
Review the user details and click Create User.
Click Download Keys and save the file in a secure location. These keys will be used later in Veeam.
.png)
Click the X at the top of the window to close.
.png)
Click Close.
You will now see the “veeam” user in the users list.
Creating Wasabi as an Object Repository
Log in to your Veeam console. The Windows console must be used to create object storage repositories.
Under Backup Infrastructure, select Backup Repositories, then click Add Repository.
Click Object Storage.
Click Additional Providers.
Click Wasabi Cloud Storage.
Give the repo a name and click Next.
Enter the proper region for your bucket and click Add… next to Credentials.
This configuration example discusses the use of Wasabi's us-east-2 storage region. Use the region your bucket is located in. For a list of regions, see Available Storage Regions.
Enter the Access and Secret keys from the “veeam” user created above. Click OK.
Click Next.
.png)
Click Browse next to the Bucket field.
Select your bucket and click OK.
Click Browse next to the Folder field.
Click New Folder and give the folder a name.
Select the folder and click OK.
It is highly recommended to check “Make backups immutable”. By default, the minimum immutability period is “entire retention period,” and you may click the link to change it if desired. Click Next.
In the Mount Server tab, keep the default values and click Next.
Click Apply.
Click Next.
Click Finish.
You will now see the Wasabi repository in the repo list.
Enabling IAM/STS in Veeam
Login to your Veeam console. The Windows console must be used.
Under Backup Infrastructure > Backup Repositories select the Wasabi repository created above. This must be the Wasabi repo using the “veeam” user’s Access and Secret keys.
Right-click on the Wasabi repo. Click Access permissions…
Select the radio button next to Provided by IAM/STS object storage capabilities (direct to object). Keep the default values of “iam.wasabisys.com” and “sts.wasabisys.com”. Click OK.
Associating the Wasabi Repo With a Backup Job
Follow the sections in the appropriate article for your environment to create a new backup job, backup copy job, or Scale-out Backup Repository (SOBR) and associate the Wasabi repo with it. An existing job may be used instead. Select Run the job when I click Finish to run a test backup.
Creating a Backup Job
Creating a Backup Copy Job
Creating a Scale-out Backup Repository followed by Creating a Backup Job
Running a Test Restore
In this section we will run an example test restore of a virtual machine (VM) that was backed up with a backup job.
On the Home tab, click Backups, and then Object Storage. Under the job that created the backup, select the virtual machine or other disks, files, and so on that you want to restore (a VM is selected in this example). Since a VM is being restored in this example, click Entire VM.
Select the appropriate option from the menu. In our example we selected VMware vSphere since this is where the VM was backed up from.
Click Point…
Select the appropriate restore point and click OK.
Click Next.
Select the appropriate restore mode. Since this is just a test, we selected “Restore to a new location, or with different settings”. Click Next.
Change the host if needed and click Next.
Change the resource pool if needed and click Next.
Select a different Datastore if needed and click Next.
Click Name to change the name of the restored VM so as not to conflict with the original.
Click the checkbox next to “Add suffix” and change the name if needed to be unique on your network. Click OK.
Click Next.
Select the line for your VM to highlight it and click Disconnect. This will prevent an IP address conflict on your network.
Click Next.
On the next screen click Next.
Optionally enter a restore reason and click Next.
Select the checkbox next to Power on target VM after restoring. Click Finish.
Ensure the Status shows “Success” and click Close.
Log in to your VM’s console via its hypervisor to ensure the VM is operational.
Optionally, delete the restored VM. Do NOT delete the original VM.