walwarden
GuidesDestinations

Wasabi destination

Four steps to configure a Wasabi bucket and access key that walwarden writes backups to.

Walwarden supports Wasabi as a backup destination via the S3-compatible API. This page covers creating and configuring the bucket and the access key walwarden uses to write backups.

Walwarden supports the following parameters for this provider:

ParameterDescription
endpointUrlThe HTTPS endpoint for your Wasabi region (for example, https://s3.us-east-1.wasabisys.com). See the region table below.
bucketNameThe name of the Wasabi bucket (for example, my-company-walwarden-backups).
regionThe Wasabi region slug (for example, us-east-1). Must match the endpoint URL.
accessKeyIdThe Wasabi access key ID.
secretAccessKeyThe corresponding Wasabi secret key.
retentionFloorDaysMinimum number of days each backup is retained under Object Lock. Must be between 1 and 365.

Trust boundary note. Walwarden stores the access key for this destination. Unlike the AWS BYO S3 path (which uses short-lived AssumeRole session credentials), Wasabi keys are long-lived. Use a minimum-scope key (see step 3 below) and rotate it periodically. Revoke the key immediately if walwarden is ever compromised.

Preflight status. Wasabi destinations start in unverified state. Run preflight after registration so walwarden can verify the access key, bucket access, Object Lock, versioning, public-access posture, encryption behavior, and retention writes.


Wasabi region endpoints

Use the endpoint matching the region your bucket is in. Mixing endpoint and region causes authentication failures.

RegionEndpoint
US East 1 (N. Virginia)https://s3.us-east-1.wasabisys.com
US East 2 (N. Virginia)https://s3.us-east-2.wasabisys.com
US Central 1 (Texas)https://s3.us-central-1.wasabisys.com
US West 1 (Oregon)https://s3.us-west-1.wasabisys.com
EU Central 1 (Amsterdam)https://s3.eu-central-1.wasabisys.com
EU Central 2 (Frankfurt)https://s3.eu-central-2.wasabisys.com
EU West 1 (London)https://s3.eu-west-1.wasabisys.com
EU West 2 (Paris)https://s3.eu-west-2.wasabisys.com
AP Northeast 1 (Tokyo)https://s3.ap-northeast-1.wasabisys.com
AP Northeast 2 (Osaka)https://s3.ap-northeast-2.wasabisys.com
AP Southeast 1 (Singapore)https://s3.ap-southeast-1.wasabisys.com

Step 1: Create the bucket with Object Lock enabled

Wasabi Object Lock, like S3 Object Lock, must be enabled at bucket creation. You cannot enable it on an existing bucket.

  1. Log in to the Wasabi Console.
  2. Click Create Bucket.
  3. Enter a bucket name.
  4. Select your region.
  5. Under Object Locking, toggle it on.
  6. Click Create Bucket.

After creation, set the default retention mode to GOVERNANCE:

Using the AWS CLI with a Wasabi endpoint:

aws s3api put-object-lock-configuration \
  --bucket my-company-walwarden-backups \
  --object-lock-configuration '{
    "ObjectLockEnabled": "Enabled",
    "Rule": {
      "DefaultRetention": {
        "Mode": "GOVERNANCE",
        "Days": 30
      }
    }
  }' \
  --endpoint-url https://s3.us-east-1.wasabisys.com

Use GOVERNANCE mode, not COMPLIANCE. COMPLIANCE mode prevents even the account owner from deleting objects before the retention period, which creates operational risk if you need to recover storage.


Step 2: Block public access

By default, Wasabi buckets are private. Confirm the bucket has no public access policy applied. In the Wasabi Console, go to your bucket's Settings > Access Control and verify no public grants are in place.


Step 3: Create a minimum-scope sub-user and access key

Create a Wasabi sub-user for walwarden with a bucket-scoped policy.

In the Wasabi Console:

  1. Go to Access Management > Users and click Create User.
  2. Enter a username, for example walwarden-backup.
  3. Under Programmatic (Access Key/Secret Key), generate an access key. Note the access key ID and secret.

Create and attach a policy that grants only the permissions walwarden needs:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:HeadObject",
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:GetBucketVersioning",
        "s3:GetObjectRetention",
        "s3:PutObjectRetention",
        "s3:GetObjectLegalHold",
        "s3:PutObjectLegalHold",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [
        "arn:aws:s3:::my-company-walwarden-backups",
        "arn:aws:s3:::my-company-walwarden-backups/*"
      ]
    }
  ]
}

Attach the policy to the sub-user.


Step 4: Register the destination in walwarden

  1. In the walwarden dashboard, go to Destinations > Add destination.
  2. Select Wasabi as the provider.
  3. Fill in:
    • Endpoint URL — the endpoint for your Wasabi region (for example, https://s3.us-east-1.wasabisys.com).
    • Bucket name — the bucket name from step 1.
    • Region — the Wasabi region slug (for example, us-east-1).
    • Access key ID — from step 3.
    • Secret access key — from step 3.
  4. Click Save.

The destination will appear in state unverified. Run preflight from the destination detail page before attaching it to scheduled backups.


Common footguns

Endpoint and region slug do not match

The endpoint URL and region field must refer to the same Wasabi region. Using https://s3.us-east-1.wasabisys.com with region eu-central-1 will cause authentication failures. Copy both from the region table above together.

Object Lock not enabled at bucket creation

Wasabi, like AWS S3, does not allow enabling Object Lock on an existing bucket. If you created the bucket without Object Lock, delete it and re-create it with Object Lock on.

Using the root account key instead of a sub-user key

The root account has unrestricted access to all resources. Walwarden only needs access to one bucket. Always use a sub-user key with a bucket-scoped policy.

Wasabi egress charges in some regions

Wasabi's free egress policy applies when the destination of the traffic is not AWS. If you run walwarden on AWS and point it at a Wasabi bucket, some configurations may incur Wasabi egress charges. Review Wasabi's current pricing policy before choosing the region.

Forgot PutObjectRetention in the policy

Without PutObjectRetention, walwarden can write objects but cannot stamp the Object Lock retention hold on them. Preflight catches this. Add the action to the policy.