The backup storage account does not have enough permissions (code 1068)

Situation

A backup or restore plan failed with the following error message: The backup storage account does not have enough permissions to create temporary credentials The root cause of the issue is reported in the error message.

Cause

This error will be reported when the backup storage cannot be accessed. The following causes can result in this issue:

  • The access credentials become invalid. These credentials might be changed or the storage account is disabled after the backup is started.
  • The user access to the backup storage is not properly configured in Management Console
  • AWS S3, Wasabi: IAM policy is removed, invalid, or cannot be accessed.
  • AWS S3: There is no permission for creating temporary credentials/federation token.

Solutions

  1. Check if the user of provider accounts are enabled
  2. Check the storage account credentials
  3. AWS S3, Wasabi: Check whether the IAM policy is valid
  4. AWS S3: Check if the GetFederationToken permission is granted (in case of IAM Role is not used and the storage account is accessed using Access/Secret keys)

Solution 1. How to check whether the user of provider accounts are enabled

User Account

  1. On Organization > Users find the required user. Use search or filtering to simplify the search.
  2. Click the username to access the side panel.

  1. On the Personal Info tab, check if the user is enabled. Enable the user, if necessary.

Administrator/Provider Account

  1. On Organization > Administrators find the required account. Use search or filtering to simplify the search.
  2. Click the account name to access the side panel.

  1. On the General tab, check if the account has a valid license.

Solution 2. How to check the storage account availability

Check if the storage account is available On Backup > Storage account find the storage account.

In case of the storage account not found, add it again using the Add Account button.

Provide the valid credentials for the storage account.

Expand actions and click Change Credentials.

Provide the required credentials. The required credentials depend on the selected storage provider.

Check if the storage account is associated with the user

  1. On Organization > Users find the required user. Use search or filtering to simplify the search.
  2. Click the username to access the side panel.

  1. On the Backup Destinations tab, check if the storage account that is used for the backup is available for the user account. Add a storage account, if necessary. To add an account, click + Add New

Solution 3. Check whether IAM user policy is valid

Refer to AWS Documentation to validate IAM use policy.

Solution 4. AWS S3 storage account

Refer to AWS Documentation for instructions on how to grant GetFederationToken permission properly.

https://git.cloudberrylab.com/egor.m/doc-help-kb.git