XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Backup to S3 aborted what permissions are required?

    Scheduled Pinned Locked Moved Xen Orchestra
    backupaws
    26 Posts 5 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nraynaudN
      nraynaud XCP-ng Team @jensolsson.se
      last edited by

      @jensolsson-se yes, we have though of complicated solutions too, but we haven't yet really dug into it, because this is a backup situation, we'd like the state of things and failure modes to be manageable.

      J 1 Reply Last reply Reply Quote 0
      • J
        jensolsson.se @nraynaud
        last edited by jensolsson.se

        @nraynaud Makes sense to keep it simple.

        But this means that S3 backup in XO is currently broken, right, and I need to find some other way to back up my VMs for now.

        nraynaudN 1 Reply Last reply Reply Quote 0
        • nraynaudN
          nraynaud XCP-ng Team @jensolsson.se
          last edited by

          @jensolsson-se Can you use SMB, NFS or local backups? I don't think S3 has ever worked for anyone.

          J 1 Reply Last reply Reply Quote 0
          • J
            jensolsson.se @nraynaud
            last edited by

            @nraynaud yes i use nfs today. But would love to send it to the cloud somewhere as well.

            A 1 Reply Last reply Reply Quote 0
            • A
              alexredston @jensolsson.se
              last edited by

              @jensolsson-se

              I have backups working to S3 using IAM permissions and KMS on S3.

              Right now backing up a 1TB VM to S3 in an hour which is great.

              First thing - don't create the directory where the backups will be stored on S3 in advance, it will get created automatically or fail otherwise complaining that it should be empty

              Then you need the permissions:

              I created them in Json assigned to a group and assigned that to an IAM user to be used as a service account. Note the key that is referred to is a key which is a property of that IAM user, not to be confused with the symetric encryption key which will need to be assigned to your bucket.

              {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowBucketListing",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListBucketVersions"
            ],
            "Resource": [
                "arn:aws:s3:::your-bucket-name-here",
                "arn:aws:s3:::your-bucket-name-here/*"
            ]
        },
        {
            "Sid": "AllowObjectOperations",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:GetObjectVersion",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "arn:aws:s3:::your-bucket-name-here/*",
                "arn:aws:s3:::your-bucket-name-here"
            ]
        },
        {
            "Sid": "AllowKeyAccess",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:your-region-here:your-numeric-account-id-here:key/the-uuid-of-the-encryption-key-for-your-bucket-here"
        }
    ]
}
              A 1 Reply Last reply Reply Quote 0
              • A
                alexredston @alexredston
                last edited by

                Posted this as I personally found this configuration quite involved, and the permissions earlier in the thread were insufficient to make it work when using AWS KMS for bucket encryption as well as the XO provided encryption secret.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post