S3 Backup stopped working in April - "An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied"

lejon · May 10, 2024, 10:08pm

SYSTEM INFORMATION
OS type and version	Ubuntu Linux 20.04.6
Webmin version	2.111
Virtualmin version	7.10.0
Related packages	SUGGESTED

Previously backups had worked perfectly fine - I looked at the bucket I’m backing things up to, and there are lots of backups going back to March 31st 2024, however since then I’ve been getting emails about it failing, the error is:

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Backup failed! See the progress output above for the reason why.

I’ve tested the exact same credentials and bucket access in Cyberduck, CLI, and using a Laravel package and they all work fine - Virtualmin is the only one that’s not working.

Can anyone help me? I’ll provide whatever other info needed (Except for the bucket/credentials obviously)

The policy includes basically every single S3 permission at this point - including ListBucket and listallmybuckets. I’ve just been adding more and more permissions to the policy to try to figure this out and… Still, nothing. Like I said other ways of accessing the bucket work perfectly fine, and Virtualmin’s backup worked perfectly fine until April 1st this year.

stefan1959 · May 10, 2024, 11:43pm

I use aws and working fine.
Backup failed! See the progress output above for the reason why.

So can you post the output or find a error might help, not much to go on.

lejon · May 10, 2024, 11:45pm

The error is in the quote, right above the line you shared. This is all it says:

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

stefan1959 · May 10, 2024, 11:47pm

Assess Denied could mean anything.

This is the policy I use on aws

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“s3:ListStorageLensConfigurations”,
“s3:ListAccessPointsForObjectLambda”,
“s3:GetAccessPoint”,
“s3:PutAccountPublicAccessBlock”,
“s3:GetAccountPublicAccessBlock”,
“s3:ListAllMyBuckets”,
“s3:ListAccessPoints”,
“s3:PutAccessPointPublicAccessBlock”,
“s3:ListJobs”,
“s3:PutStorageLensConfiguration”,
“s3:ListMultiRegionAccessPoints”,
“s3:CreateJob”
],
“Resource”: “"
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Allow”,
“Action”: [
“s3:ListBucketMultipartUploads”,
"s3:”,
“s3:ListBucketVersions”,
“s3:ListBucket”,
“s3:ListMultipartUploadParts”
],
“Resource”: “arn:aws:s3:::*”
}
]
}

lejon · May 13, 2024, 7:56pm

After a lot of playing around, I found out that Virtualmin, for whatever reason, now requires “ListAllMyBuckets” on “Resource”: “arn:aws:s3:::*”

So I’m guessing at some point in March or maybe early April, an update was pushed out to require ListAllMyBuckets to even so much as to save a new S3 Account in Virtualmin.

Here’s the relevant policy I ended up using, gonna play around and remove some actions later but it’s working for now and I don’t want to risk breaking it:

        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:ListMultipartUploadParts",
                "s3:ListStorageLensConfigurations",
                "s3:ListAllMyBuckets",
                "s3:ListAccessPoints"
            ],
            "Resource": "arn:aws:s3:::*"
        },

I appreciate the help, @stefan1959 - not sure I would have figured it out without it.

system · May 21, 2024, 7:57pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.