Amazon S3 not authorized iam:GetUser

I have struck a problem setting up a Duplicati backup to Amazon S3 from Windows. I have setup the AWS User and Bucket in similar fashion to other working configs. However, when clicking “Test Connection” on the Duplicati Backup Destination form I am confronted with the error:
"User: arn:aws:iam::XXXXXXXXXXXX:user/ABC is not authorized to perform: iam::GetUser on resource: user ABC

My working Duplicati/Amazon configs are all on Ubuntu laptops and this is the first time I have attempted to configure a Duplicati/Amazon backup from a Windows laptop.

Curiously, “Test Connection” is successful with this User and Bucket from a Ubuntu laptop, but generates the error when configured on a Windows laptop.

I note that on Windows (not Ubuntu) the Duplicati Backup Destination Form includes an “Client Library to Use” but neither option (Amazon AWS SDK | Minio SDK) resolves the error.

Windows 10 Home
Duplicati - 2.0.5.1_beta_2020-01-18

I would be grateful to know how to resolve this issue! Thanks in advance…

I was able to replicate this error on Ubuntu with Duplicati - 2.0.5.1_beta_2020-01-18

I was also able to resolve this issue on both Windows and Ubuntu by reverting to Duplicati - 2.0.4.23_beta_2019-07-14

Hence it would appear that this error relates to Duplicati - 2.0.5.1_beta_2020-01-18

I encountered the same issue on two different (Windows) machines. One was an upgrade from the previous Duplicati version, the other had a fresh Duplicati installation. The two machines used to different S3 buckets, which were configured similarly, though.

The good news: the error message affected the connection test only. Once I ignored it and continued configuring the connection, the actual backup process ran smoothly.

Thank you Helge. I have confirmed that the current Duplicati version does indeed work on my Ubuntu setup (despite reporting a failed connection test).

Still seeing this behavior on Windows Server 2019 running Duplicati - 2.0.5.1_beta_2020-01-18. Test fails with the same error, but the backup completes successfully.

Found same error message in Linux/Ubtunu Duplicati - 2.0.5.1_beta_2020-01-18.

Attempting to access backups on a temporary Linux machine, where the backups were created by a Windows machine. The Windows machine has always reported successful backups. Restores on the same Windows machine have been successful (last restore was over a year ago, though). The Windows version of Duplicati was updated within the past three months.

Error message was in response to “Test connection” upon filling in the form for the “Direct restore from backup files …”

Error message reads: “User: arn:aws:iam::XXXXXXXXXXXX:user/UUUUUUUUUUUUUUUUUU is not authorized to perform: iam:GetUser on resource: user UUUUUUUUUUUUUUUUUU”

As an aside, the "Restore from configuration… " option also failed. Upon attempting to import the configuration file, Duplicati just sat there, “Importing…” doing apparently nothing. No crash; app was still responsive to user. Related, or shared, root cause?

Disappointing : Same behaviour on docker container on linux : linuxserver/duplicati = version-v2.0.6.1-2.0.6.1_beta_2021-05-03.

Haven’t tried the backup. Not sure I want to be using something that is giving false positives/positive falses.

Following up on this. I just installed 2.0.6.3_beta_2021-06-17 and I am getting the same error. As noted above, it still seems to work, but the Test Connection throws this iam:getuser error consistently.

I just went to set this up yesterday and ran into the test connection issue. You just need to add permissions to the AWS policy for iam:GetUser. Here is an example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::duplicati-bucket",
                "arn:aws:s3:::duplicati-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUser"
            ],
            "Resource": [
                "arn:aws:iam::000000000000:user/duplicati-user"
            ]
        }
    ]
}

000000000000 is your AWS account id ; get when logged into AWS console in the top right of the browser. change the bucket references to match your buckets and user. Once I applied this policy the test connection and backup worked just fine.

3 Likes

Thank you @seanwo - I had the same problem, and through hitting the test button multiple times, figured out that I had an IAM permissions problem. I did mostly what you have here; but what I found on the web was more permisssive than this, so I probably ought to go back and lock that down.

1 Like