Bug #73615 Required S3 permissions not documented
Submitted: 17 Aug 2014 18:30 Modified: 6 Feb 2015 22:05
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Backup Documentation Severity:S3 (Non-critical)
Version:3.10.2 OS:Any
Assigned to: Daniel So CPU Architecture:Any
Tags: cloud, permissions, s3

[17 Aug 2014 18:30] Daniël van Eeden 
Description:
If I use --cloud-service=s3 and other cloud options to backup to S3 I'll need a keyid and accesskey.

But what privileges does the s3 account need?

http://dev.mysql.com/doc/mysql-enterprise-backup/3.10/en/meb-backup-cloud.html
http://dev.mysql.com/doc/mysql-enterprise-backup/3.10/en/backup-cloud-options.html

How to repeat:
Read docs and try to find the minimum privileges needed to create a backup user.

The backup user:
- must be able to make and restore backups
- must not be able to delete backups (for security reasons)
- must not be able to read/write/list other buckets.

Suggested fix:
List a policy with the least privileges needed to:
- create a backup
- validate a backup
- restore a backup

A policy document like this might work (not tested):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1408299962000",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::example_bucket"
      ]
    }
  ]
}
[17 Aug 2014 19:53] Daniël van Eeden 
This is probably the minimal required policy. Tested with 3.10.2.

Replace my_meb_bucket with the actual bucket name.
-------------------------------------------
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1408302840000",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket", 
        "s3:ListBucketMultipartUploads",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::my_meb_bucket/*"
      ]
    }
  ]
}
-------------------------------------------
[17 Aug 2014 19:54] Daniël van Eeden 
The permissions are listed here:
http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
[18 Aug 2014 7:48] MySQL Verification Team 
Hello Daniël,

Thank you for the report.

Thanks,
Umesh
[6 Feb 2015 22:05] Daniel So 
Added the following explanation to the description of the --cloud-bucket option in the MySQL Enterprise Backup 3.10 and 3.11 manuals:

" In order to perform cloud backups and restores with the bucket, the user identified by the --cloud-access-key-id option must have at least the following permissions on the bucket:

    s3:ListBucket: For listing information on items in the bucket.

    s3:ListBucketMultipartUploads: For listing multipart uploads in progress to the bucket.

    s3:GetObject: For retrieving objects from the bucket.

    s3:PutObject: For adding objects to the bucket. "

The changes will be available in the next builds of the manuals.