Prune is Failing on Wasabi with Permissions Error

lyntux · 6 June 2024 00:29

I am getting a prune failure error due to some sort of permissions issue when I back up my files to Wasabi. Here’s the sanitized output of the error message.

Running prune command from /home/username/.duplicacy-web/repositories/localhost/all
Options: [-log prune -storage computer-name -keep 0:365 -keep 7:90 -keep 1:7 -a]
2024-06-05 18:12:26.628 INFO STORAGE_SET Storage set to wasabi://us-west-1@s3.us-west-1.wasabisys.com/backup-folder/computer-name
2024-06-05 18:12:27.290 INFO RETENTION_POLICY Keep no snapshots older than 365 days
2024-06-05 18:12:27.290 INFO RETENTION_POLICY Keep 1 snapshot every 7 day(s) if older than 90 day(s)
2024-06-05 18:12:27.290 INFO RETENTION_POLICY Keep 1 snapshot every 1 day(s) if older than 7 day(s)
2024-06-05 18:12:32.312 INFO SNAPSHOT_DELETE Deleting snapshot local-home at revision 2
2024-06-05 18:12:32.336 INFO SNAPSHOT_DELETE Deleting snapshot local-home at revision 3
2024-06-05 18:12:32.355 INFO SNAPSHOT_DELETE Deleting snapshot local-home at revision 4
2024-06-05 18:12:32.374 INFO SNAPSHOT_DELETE Deleting snapshot local-home at revision 5
2024-06-05 18:12:32.395 INFO SNAPSHOT_DELETE Deleting snapshot local-home at revision 6
2024-06-05 18:12:32.414 INFO SNAPSHOT_DELETE Deleting snapshot local-home at revision 7
2024-06-05 18:12:32.433 INFO SNAPSHOT_DELETE Deleting snapshot local-home at revision 9
2024-06-05 18:12:32.453 INFO SNAPSHOT_DELETE Deleting snapshot local-home at revision 10
2024-06-05 18:12:32.472 INFO SNAPSHOT_DELETE Deleting snapshot local-home at revision 11
2024-06-05 18:12:32.490 INFO SNAPSHOT_DELETE Deleting snapshot local-home at revision 12
2024-06-05 18:12:32.507 INFO SNAPSHOT_DELETE Deleting snapshot local-home at revision 14
2024-06-05 18:12:32.528 INFO SNAPSHOT_DELETE Deleting snapshot local-home at revision 15
2024-06-05 18:12:34.838 ERROR CHUNK_DELETE Failed to fossilize the chunk 39035216fea1b2bf5f2764ea926fe30633a9772deead9f055957c765262c70b1: 403 Forbidden
Failed to fossilize the chunk 39035216fea1b2bf5f2764ea926fe30633a9772deead9f055957c765262c70b1: 403 Forbidden

Here are the permissions that the service account has for backing up files:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectVersion",
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::backup-folder/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::backup-folder"
    }
  ]
}

Like I said, I’m backing up to Wasabi. I know there are some differences between AWS S3 and Wasabi and I have verified that I have this configured as a Wasabi backup directory and I’m NOT using S3.

What permissions do I need to apply to my service account to avoid these fossilization errors?

jerome · 22 August 2024 20:41

Same issue here… Have you found a solution?

lyntux · 22 August 2024 21:00

No, but I’ve found a workaround. I basically used the nuclear option and gave my service account full control over the backup bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::backup-folder/*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::backup-folder"
    }
  ]
}

I’d rather use least-privileged access, but I don’t feel like trying to troubleshoot for days and days to fix this issue.

I’ve also considered contacting… OK, I’ll do it. Let me email Wasabi’s support team and see if they have any advice.

saspus · 23 August 2024 02:35

Have you configured wasabi as s3 or as wasabi?

lyntux · 23 August 2024 14:19

wasabi://

I can’t believe I forgot this, but Wasabi support reminded me that partial wildcard policies are a thing. I went back to my original policy and I tried three variants. Each variant used only one of the following lines, I haven’t tried them together yet.

Policy lines tried:
s3:Put*
s3:Delete*
s3:Replicate*

I’ve looked though the forums to try to figure out what Duplicacy is actually doing during the:

ERROR CHUNK_DELETE Failed to fossilize the chunk {BLAH}: 403 Forbidden

Step, but I can’t figure out what is meant by that.