Support » Plugin: BackWPup - WordPress Backup Plugin » BackWPUp S3 Permissions issue

  • Resolved fraserhardy

    (@fraserhardy)


    I have setup BackWPUp to use my S3 bucket and have created a IAM account for that bucket with full S3 permissions. I have tested this using the the keys with 3Hub (https://itunes.apple.com/us/app/3hub/id427515976?mt=12) and the keys allow me to view, upload, remove, edit. However every time I run the backup job I get the following error:

    [18-Mar-2014 15:57:14] 5212 Files with 284.18 MB in Archive.
    [18-Mar-2014 15:57:14] 1. Trying to send backup file to S3 Service …
    [18-Mar-2014 15:57:14] ERROR: S3 Service API: Access Denied
    [18-Mar-2014 15:57:14] 2. Trying to send backup file to S3 Service …
    [18-Mar-2014 15:57:14] ERROR: S3 Service API: Access Denied
    [18-Mar-2014 15:57:14] 3. Trying to send backup file to S3 Service …
    [18-Mar-2014 15:57:14] ERROR: S3 Service API: Access Denied
    [18-Mar-2014 15:57:14] ERROR: Step aborted: too many attempts!
    [18-Mar-2014 15:57:14] ERROR: Job has ended with errors in 77 seconds. You must resolve the errors for correct execution.

    Does this plugin require additional AWS permissions as I cant find any details on this and dont really want to give permissions for anything other than the bucket I am using for backup.

    https://wordpress.org/plugins/backwpup/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Daniel Hüsken

    (@danielhuesken)

    On default the Plugin will make a multipart Upload. Can you try what happends if you disable it. Is is in the S3 confuguration tab.

    Thread Starter fraserhardy

    (@fraserhardy)

    It was still not working with multipart upload disabled. After some more debugging and looking into the S3 access logs I found the request which was failing was for fetching the Bucket Location (http://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETlocation.html)

    I had set all permissions for that bucket but needed to add the following to my bucket policy:

    {
       "Sid": "RequiredByS3Console",
       "Action": ["s3:GetBucketLocation"],
       "Effect": "Allow",
       "Resource": ["arn:aws:s3:::*"]
    }

    In my case the fix was to specify both the bucket and the folder permissions like so:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "s3:*",
    "Resource": [
          "arn:aws:s3:::BUCKET_NAME",
          "arn:aws:s3:::BUCKET_NAME/*"
        ]
        }
      ]
    }

    obviously replacing BUCKET_NAME with the name of your bucket. I think it’s due to the need for access to the bucket itself, along with any folder within, but I’m pretty new to S3.

    Hi
    I’ve been trying to get this working for the past year, but I can only do it by giving the IAM user permissions to access all my buckets and allow GetObjects which is way too permissive. Especially as I want to use this for multiple websites, using the same user access key. theoreticaly if one of my websites got hacked, they’d have the key to access my S3 account and download all the backups and sensitive data from all my other sites.

    After hours of trial and error it seems that permission to GetObject is required by backWPup. I can’t see why that’s necessary, because to back up you need to PutObject. Ideally I just want to grant the user permission to PutObject only. But without GetObject permission it fails.

    Any suggestions gratefully received, as BackWPup is fantastic, and I’d love to use it for all my sites 🙂
    Cheers
    Nark

    Two things from kylewhenderson’s answer fixed the issue for me:
    * Using “Action”: “s3:*” (instead of just get, put, delete)
    * Adding “arn:aws:s3:::BUCKET_NAME”.
    Thanks!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘BackWPUp S3 Permissions issue’ is closed to new replies.