# Permissions

This article lists the minimal permissions required for a **Wasabi** bucket to be used as backup storage in **GitProtect**. The policies below allow you to add your **Wasabi** storage to the **GitProtect** platform, store backup data, and restore it when needed.

***

## Wasabi bucket policy <a href="#wasabi_bucket_policy" id="wasabi_bucket_policy"></a>

Access keys are generated for each **Wasabi** user account. You can view the list of access keys by logging in to your **Wasabi** account and navigating to the **Access Keys** tab.

<figure><img src="https://696332517-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtsE6XtJyUIEKVdSxPlS3%2Fuploads%2FPgwWTmkEXyQRCSwSMVk1%2Fwasabiper1.png?alt=media&#x26;token=009a429b-b68a-4adb-8884-7b1f81cedf48" alt=""><figcaption></figcaption></figure>

To create a new user account or edit an existing one, go to the **Users** tab. In the **Policies** section, select **WasabiReadOnlyAccess** and **WasabiWriteOnlyAccess**, according to your needs.

<figure><img src="https://696332517-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtsE6XtJyUIEKVdSxPlS3%2Fuploads%2F4f8yu8CdqiKgbGLHGQZV%2Fwasabiper2.png?alt=media&#x26;token=31ef3dd3-ca8b-4ffe-865d-95133dbb47a8" alt=""><figcaption></figcaption></figure>

***

## Support for immutable storage <a href="#support_for_immutable_storage" id="support_for_immutable_storage"></a>

{% hint style="warning" %}
Remember that immutable storage configuration is available only when creating a new bucket — there is no option to enable it for an existing bucket.
{% endhint %}

{% hint style="danger" %}
Enabling retention and/or versioning for the bucket may result in additional data being stored. It is recommended that the retention period in **GitProtect** be longer than the one set for the storage. Otherwise, this may lead to storage overload.
{% endhint %}

If you want to use immutable storage, the following permissions are required:

{% code title="Required to read Object Lock" overflow="wrap" %}

```json
s3:GetBucketObjectLockConfiguration
```

{% endcode %}

{% code title="Required to read the versioning configuration" overflow="wrap" %}

```json
configuration.s3:GetBucketVersioning
```

{% endcode %}

It must be added to the **Action** section, and after the changes, the section should look as shown below:

```json
"Action": [
                    "s3:ListBucket",
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject",
		    "s3:GetBucketVersioning",
	            "s3:GetBucketObjectLockConfiguration"
               ],
```

{% code title="Example policy configuration" %}

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPublicRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::100000176259:user/xone-storage"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:GetBucketVersioning",
        "s3:GetBucketObjectLockConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::xopero-test/*",
        "arn:aws:s3:::xopero-test"
      ]
    }
  ]
}
```

{% endcode %}

> `arn:aws:iam::100000176259:user/xone-storage` — **Wasabi** user
>
> `arn:aws:s3:::xopero-test` — **Wasabi** bucket

## Useful links and items

{% embed url="<https://docs.wasabi.com/docs/bucket-policy>" %}

{% embed url="<https://wasabi.com/objectlock/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://helpcenter.gitprotect.io/storage/cloud-storage/wasabi/permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.