S3 Storage

Contents

S3 Storage#

Restic restore access requirements#

Restic uses locks, so that e.g. a prune cannot start while a restore is running. For this to work it does require write access to the path /locks also for the read only access keys.

An alternative is to run the commands with the flag --no-lock, it is not clear though if volsync does support this.

The S3 policy required:

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "s3:GetBucketLocation",
    "s3:GetObject",
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::my-volsync-bucket/*",
    "arn:aws:s3:::my-other-volsync-bucket/*"
   ]
  },
  {
   "Effect": "Allow",
   "Action": [
    "s3:DeleteObject",
    "s3:PutObject"
   ],
   "Resource": [
    "arn:aws:s3:::my-volsync-bucket/*/*/locks/*",
    "arn:aws:s3:::my-other-volsync-bucket/*/*/locks/*"
   ]
  }
 ]
}

CNPG restore access requirements#

The following S3 policy is needed for the restore via CloudNative PG (Barman):

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "s3:GetBucketLocation",
    "s3:GetObject",
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::my-cnpg-bucket/*"
   ]
  }
 ]
}