Hi again!
I am trying to add a destination to a storage account using the API. However, it seems like that it’s not authenticating to S3 properly.
It works fine in the Management Console.
Below you will find the role policy I made for the CloudBerry role in AWS, and the API response.
Is there a problem on my end or on yours?
Thanks!
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadWriteObjectsFromNRCIPSpace",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:DeleteObjectVersionTagging",
"s3:GetAccelerateConfiguration",
"s3:GetAccountPublicAccessBlock",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTagging",
"s3:GetReplicationConfiguration",
"s3:ListBucketByTags",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts",
"s3:PutAccelerateConfiguration",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:ReplicateDelete",
"s3:ReplicateObject",
"s3:ReplicateTags",
"s3:RestoreObject"
],
"Resource": "*",
"Condition": {
"ForAnyValue:IpAddress": {
"aws:SourceIp": [
"custom IP range 1",
"custom IP range 2"
]
}
}
},
{
"Sid": "CloudBerryManagementConsoleListBuckets",
"Effect": "Allow",
"Action": [
"s3:HeadBucket",
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": "*"
}
]
}
Here’s the response:
{'ExceptionMessage': 'The security token included in the request is invalid.',
'ExceptionType': 'CloudBerryLab.Base.Exceptions.Status403Exception',
'InnerException': {'ExceptionMessage': 'The security token included in the '
'request is invalid.',
'ExceptionType': 'CloudBerryLab.S3Client.STS.STSWebException',
'InnerException': {'ExceptionMessage': 'The remote server '
'returned an error: '
'(403) Forbidden.',
'ExceptionType': 'System.Net.WebException',
'Message': 'An error has occurred.',
'StackTrace': ' at '
'System.Net.HttpWebRequest.GetResponse()\r\n'
' at '
'CloudBerryLab.Base.HttpUtil.Light.LightWebClient.ExecRequestImmediate(LightWebRequestProps '
'webRequestData)'},
'Message': 'An error has occurred.',
'StackTrace': None},
'Message': 'An error has occurred.',
'StackTrace': ' at '
'CloudBerryLab.Base.HttpUtil.Light.LightWebClient.ExecRequestAndThrowStorageSpecificException(LightWebRequestProps '
'webRequestData)\r\n'
' at '
'CloudBerryLab.Base.HttpUtil.Light.LightWebClient.DoRetries(LightWebRequestProps '
'webRequestData)\r\n'
' at '
'CloudBerryLab.Base.HttpUtil.Light.LightHttpClient.HandleRedirects(LightWebRequestProps '
'webRequestData)\r\n'
' at '
'CloudBerryLab.Base.HttpUtil.Light.LightHttpClient.ExecRequestAndHandleSmartDelays(LightWebRequestProps '
'webRequestProps)\r\n'
' at CloudBerryLab.S3Client.STS.STSClient.AssumeRole(String '
'roleSessionName, String roleARN, Int32 durationSeconds, String '
'policy, String externalID, ICancelable cancelable)\r\n'
' at '
'CloudBerryLab.S3Client.Security.AmazonAuthService.GetAssumedRoleCredentials(S3Settings '
's3Settings, ICancelable cancelable)\r\n'
' at '
'CloudBerryLab.S3Client.Security.AmazonAuthService.GenerateNewToken(ICancelable '
'cancelable)\r\n'
' at '
'CloudBerryLab.Client.Security.AuthServiceBase.GetToken(ICancelable '
'sync)\r\n'
' at '
'CloudBerryLab.S3Client.S3.LightS3Client.AuthorizeRequest(WebRequest '
'request, LightWebRequestProps webRequestProps)\r\n'
' at '
'CloudBerryLab.Base.HttpUtil.Light.LightWebClient.ExecRequestImmediate(LightWebRequestProps '
'webRequestData)\r\n'
' at '
'CloudBerryLab.Base.HttpUtil.Light.LightWebClient.ExecRequestAndThrowStorageSpecificException(LightWebRequestProps '
'webRequestData)\r\n'
' at '
'CloudBerryLab.Base.HttpUtil.Light.LightWebClient.DoRetries(LightWebRequestProps '
'webRequestData)\r\n'
' at '
'CloudBerryLab.Base.HttpUtil.Light.LightHttpClient.HandleRedirects(LightWebRequestProps '
'webRequestData)\r\n'
' at '
'CloudBerryLab.Base.HttpUtil.Light.LightHttpClient.ExecRequestAndHandleSmartDelays(LightWebRequestProps '
'webRequestProps)\r\n'
' at '
'CloudBerryLab.S3Client.S3.LightS3Client.ListBuckets(ICancelable '
'cancelable)\r\n'
' at '
'CloudBerryLab.S3Client.S3.S3ConnectionLight.ListBuckets(ICancelable '
'cancelable)\r\n'
' at '
'CloudBerryLab.S3Client.IO.S3Folder.InitializeItems(Boolean '
'forceDescendants, Boolean doNotCreateFolders, String '
'searchPattern, StreamSync streamSync)\r\n'
' at CloudBerryLab.S3Client.IO.S3Folder.GetDirectories(String '
'searchPattern, SearchOption searchOption)\r\n'
' at '
'CloudBerryLab.Backup.Engine.Cloud.Connection.BaseConnection.GetRootFolders()\r\n'
' at '
'CloudBerryLab.Web.MBS.Utils.CloudHelper.CloudHelper.GetBucketList(String '
'servicePoint, Boolean create)\r\n'
' at '
'MBSAPImvc.Engine.Controllers.AccountsEngine.AddDestinationAccountInternal(DestinationOfAccountCreate '
'destination, MBSProvider provider, String& location)\r\n'
' at '
'MBSAPImvc.Controllers.AccountsController.AddDestinationAccount(DestinationOfAccountCreate '
'destination)'}