Skip to content

Instantly share code, notes, and snippets.

@obale
Created July 4, 2021 21:38
Show Gist options
  • Save obale/f44539a898001dff4b1b3773d7cb3511 to your computer and use it in GitHub Desktop.
Save obale/f44539a898001dff4b1b3773d7cb3511 to your computer and use it in GitHub Desktop.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::restic/locks",
"arn:aws:s3:::restic/locks/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::restic/*"
]
}
]
}
@obale
Copy link
Author

obale commented Jul 4, 2021

The policy outline above allows restic to perform a backup and read-only operations. Per design forget and prune commands are NOT permitted. This is especially useful when running scheduled backup tasks on remote machines. To increase security create a dedicated user (here someuser) per machine.

The bucket name is here restic, if your bucket differs please change the policy above accordingly.

$ mc admin user add myminio someuser
$ mc admin policy add myminio backup minio-restic-policy.json
$ mc admin policy set myminio backup user=someuser
$ mc admin user policy myminio someuser

Tested with restic v0.12.0 and minio RELEASE.2021-06-17T00-10-46Z

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment