If like us you have multiple namespaces on a single PBS instance, you will want to be able to create user and token rights that only grant access to the specific namespace that token actually needs in order to properly follow the principle of least access.

Once you have created a user and the API token for that user you’re going to use to authenticate with, you need to create the permissions to grant access only to the target namespace.

Let’s say you have a Datastore named “NVME0”. The user and token will need (non-propagated!) DatastoreAudit on the Datastore itself:

As will their token:

You then need to add DatastoreBackup on the namespace. You will have to type the namespace in manually after the /datastore/NVME0 path, so if your namespace was called.. “namespace”, then the permissions would be granted on /datastore/NVME0/namespace:

You’re now ready to mount your namespace “namespace” directly on your PVE host using your API token.

(It’s probably worth mentioning that these permissions will *only* give the PVE permissions to write new backups and restore from existing backups, but not to delete/prune backups that are on the PBS. We use scripts / policy on the PBS itself for deleting backups to prevent an attacker that gets elevation / VM escape on the PVE cluster from being able to wipe the backups on the PBS systems, which run on separate hardware. If you are in an environment where this isn’t as important, you might grant more than “DatastoreBackup” on /datastore/NVME0/namespace to allow pruning/deletion to be managed directly from the PVE interface).