Intro:
This is Part 3 of 5 on how to setup and use Duplicati with Wasabi's Hot Cloud Storage.
This Article Explains How To:
- Enable Multi-Factor Authentication on the Sub-Account
- Create a Bucket(s) (each pc being backed up goes in its own bucket)
- Create two folders inside the bucket. One for the Duplicati files and one for a backup of the Duplicati database.
- Create a user (each pc being backed up should have its own user)
- Create and apply a policy to the user (not the bucket)
- Test the Wasabi policy
Enable Multi-Factor Authentication on the Sub-Account:
1. Login to the Wasabi Console at: https://console.wasabisys.com/
2. The most important thing to do immediately after setting up a sub-account is to turn on Multi-factor authentication. It can be found in settings. Click on the person icon in the top right then click Settings.
4. Leave, "MFA Recovery Codes" disabled since you can reset the root user's password from the WACM if you forget it. Use something like, Authy, to save this token. Enter one code then wait 30 seconds for another code to be generated and enter that code. Click on, "Activate Virtual MFA" when finished.
5. If the multi-factor authentication setup was successful you should see the following under MFA Settings:
Pay attention going forward.
Things to Accomplish:
1. Create a bucket with the following naming convention: "duplicati-pcname" where "pcname" is the actual name of the computer.
2. Create two folders inside the bucket. One is for the Duplicati backups of files on the computer and the other folder is for a backup of the database. This will come into play later when we do the restore for very large backups (100gb and up). Instead of pointing Duplicati to the files and saying recover them, which will be slow as it builds a new database, we can copy the existing database over and it'll accomplish this process much faster.
3. Create a Wasabi user and save the Access and Secret key (one user and one set of keys per computer to be backed up)
4. Create a policy and apply it to the Wasabi user.
If you remember from the previous article our sample customer was, "John's Seafood Shack". This customer is located at 1500 Green Road and the email we setup for the Wasabi account is, "cx-jss1500@xyz.com".
Since we're logged into the Wasabi console as the root user of John's Seafood Shack, we need to create a simple bucket naming convention when adding new computers to backup (replace "pcname" with the actual name of the computer):
"duplicati-pcname"
Wasabi buckets need to be globally unique in their system. If another Wasabi user is already using the bucket name you picked then the system will prevent you from creating that bucket. The odds of someone using the same naming convention and having the same customer as you are slim.
1 - Create a Bucket (one per pc to be backed up):
Before creating a bucket make sure you are editing the correct account! After logging in to the sub-account you can view this by clicking, "Settings" on the left then looking at the 3rd line down. It will say, "Account Name". I sent Wasabi a feature request for this, to identify somewhere on the main screen telling you which account you are logged into so you don't screw up an account you've accidentally signed into.
*The bucket name is globally unique to Wasabi.com and uses all lowercase characters.
1. On the main screen after logging in click, "Create" in the top right corner. Create a bucket with the following naming convention, "duplicati-pcname" where "pcname" is the actual name of the pc. Pick the region that you want to store the data in. In this case we will select, "N. Virginia us-east-1 (s3.wasabisys.com)".
When done click, "Create Bucket".
2. You should see the following after bucket creation:
Create Duplicati Folders Inside the Bucket:
1. Click on the new bucket name then on the next page click, "Create Folder" in the top right. In the screenshot below we are already in this bucket. Proceed to step 2.
2. Create the following folders in the root of the bucket:
- duplicati
- duplicati-database
3. It should look like this when you're done:
Create a User:
1. From the menu on the left, click, "Users".
2. Create a new user with the same name as the bucket name, "duplicati-desktop-488gd38". Select "Programmatic (create API key)". DO NOT SELECT, "CONSOLE"! Click, "next" when done.
4. Skip attaching a policy for now:
5. Verify the username is correct, API is selected, and console access is set to NO. Click, "Create User" when done.
6. After you click, "Create User" the prompt will change and it will have a Secret Key and Access Key. These are the keys that will be used to perform the backups. Make sure you download these. If you lose them you need to destroy the existing keys and regenerate a new set for the user.
7. Once you've downloaded them you can close the above box and proceed.
Create a Policy:
The policy we're about to create will give the user the ability to write to two folders, "duplicati" and "duplicati-database". For every new folder you create inside a bucket, you need to add a new policy for it or review the code below and duplicate the blocks of code that are responsible for the write access.
Here's the 3 blocks that need to be duplicated if you add another folder (only one policy at a time can be enabled on Wasabi's end). Pay attention to the curly brackets and make sure you properly close each block of code:
- AllowRootAndHomeListingOfCompanyBucket
- AllowListingOfUserFolder
- AllowAllS3ActionsInUserFolder
1. On the menu to the left click on, "Policies" then click, "Create Policy" on the top right.
2. Create a new policy with the same name as the user and the bucket, "duplicati-desktop-488gd38". Copy the following into the description, "Allows Duplicati user to read and write in its own bucket and nothing else".
3. Before you copy the below code into the, "Policy Document" section as seen in the screenshot above, we need to change some variables.
Using our bucket name of, "duplicati-desktop-488gd38" we're going to replace every instance of, "duplicati-pcname" below with our bucket name, "duplicati-desktop-488gd38". There are 8 instances that need to be replaced.
You don't have to mess with the policy itself as I've already written that out to work with the two sub folders, "duplicati" and "duplicati-database".
START OF TEMPLATE:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketCompliance" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-pcname", "Condition": { "StringEquals": { "s3:delimiter": "/", "s3:prefix": [ "", "duplicati" ] } } }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-pcname", "Condition": { "StringEquals": { "s3:delimiter": "/", "s3:prefix": [ "", "duplicati-database" ] } } }, { "Sid": "AllowListingOfUserFolder", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-pcname", "Condition": { "StringLike": { "s3:prefix": "duplicati/*" } } }, { "Sid": "AllowListingOfUserFolder", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-pcname", "Condition": { "StringLike": { "s3:prefix": "duplicati-database/*" } } }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::duplicati-pcname/duplicati*" }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::duplicati-pcname/duplicati-database*" }, { "Effect": "Deny", "Action": "s3:DeleteBucket", "Resource": [ "arn:aws:s3:::duplicati-pcname", "arn:aws:s3:::duplicati-pcname/*" ] } ] } |
END OF TEMPLATE
Using our example it should now look like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketCompliance" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-desktop-488gd38", "Condition": { "StringEquals": { "s3:delimiter": "/", "s3:prefix": [ "", "duplicati" ] } } }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-desktop-488gd38", "Condition": { "StringEquals": { "s3:delimiter": "/", "s3:prefix": [ "", "duplicati-database" ] } } }, { "Sid": "AllowListingOfUserFolder", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-desktop-488gd38", "Condition": { "StringLike": { "s3:prefix": "duplicati/*" } } }, { "Sid": "AllowListingOfUserFolder", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-desktop-488gd38", "Condition": { "StringLike": { "s3:prefix": "duplicati-database/*" } } }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::duplicati-desktop-488gd38/duplicati*" }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::duplicati-desktop-488gd38/duplicati-database*" }, { "Effect": "Deny", "Action": "s3:DeleteBucket", "Resource": [ "arn:aws:s3:::duplicati-desktop-488gd38", "arn:aws:s3:::duplicati-desktop-488gd38/*" ] } ] } |
*The policy pretty much says what it's doing and not doing. With the above policy the, "duplicati-desktop-488gd38" user cannot write to the root folder, "duplicati-desktop-488gd38" but you can write inside of the two folders sitting in the root bucket, "duplicati" and "duplicati-database".
*The user cannot delete the bucket itself but they can remove the files inside of the folders as well as delete the folders themselves. Looking for a way to stop this but I don't think it's possible because folders don't really exist as per the Amazon s3 specifications.
4. Once you are sure you've changed all 8 variables marked in light red from the template, copy the updated template and paste it into the, "Policy Document" section as seen below. If the policy is valid and has no syntax errors it will say, "Policy is valid". Once that happens click, "Create Policy" at the bottom. If not go back and make sure you didn't accidentally remove a character.
5. You'll see the following message after a successful creation and will be dropped back off at the policies page. Look closely and you'll see there are 11 policies but the page is only showing you policies 1-10. To see the one you just created you need to change, "Rows per page" to 25 near the bottom. *After you attach the policy to the user you can click on the icon below to filter out only policies applied to users:
Apply the Policy to the User We Created Earlier:
* Still on the Policies page notice there's a zero to the right of the policy name we just created in the column for, "Number Attached". This simply means the number of users that policy is attached to at the time of the page refresh.
1. Menu on the left, click on, "Users".
2. Click on our username, "duplicati-desktop-488gd38".
3. Select, "Policies".
6. Note there is no save button on this page. After you select the policy it will show up as a bubble near the bottom of the policy tab.
At this point you're done. You can close the page.
Testing the Wasabi Policy:
1. Download Wasabi's tailored version of CloudBerry Explorer. It's free for Wasabi users and can only connect to Wasabi accounts. It's basically a stripped down version of CloudBerry Explorer. Scroll down the page and the download for the app is under, "Installation Instructions".
2. Install the application then open it.
3. We're going to use the Secret and Access Keys for the Wasabi user, "duplicati-desktop-488gd38". Do not use the root credentials for this test!
*Remember root can do anything including deleting the folders we created earlier. Our policy stops the sub users from doing this.
4. Open Wasabi Explorer.
6. In the box that pops up enter the following (enter the credentials that were generated when you created a user earlier) :
- Display Name = duplicati-desktop-488gd38
- Access Key = Your access key
- Secret Key = Your secret key
- Enable - Use SSL
When done, press, "ok" on the above box, then, "close" on the box behind it labeled, "Registered Accounts".
7. Click on the, "Source:" dropdown and select, "duplicati-desktop-488gd38".
TL;DR:
1. Log into https://console.wasabisys.com/
2. Settings --> MFA Settings --> Enable
2. Create a new bucket named, "duplicati-pcname" on "s3.wasabisys.com" --> Create Bucket
3. Create two folders inside this bucket:
- duplicati
- duplicati-database
4. Create a user named, "duplicati-pcname" --> Programmatic (Create API Key).
- WAIT FOR THE KEYS TO BE GENERATED AND COPY THEM!!!
5. Create a policy using the above template and name it, "duplicati-pcname". Edit the 8 variables in notepad.
- Use, "Allows Duplicati user to read and write in its own bucket and nothing else" as the description.
6. Apply the policy to the user. Users --> Pick Username --> Policies --> Start typing to find new policy --> Select (There's no save on this page, the policy is applied instantly).
7. Test using Wasabi Explorer
8. Update documents.
Next step is creating the backup job in Duplicati itself.
π½
No comments:
Post a Comment