Access Key Configuration

The utilization of Bacula Enterprise Amazon EC2 Plugin requires the involvement of an AWS IAM service user who possesses a specific set of permissions outlined below.

Subsequently, this user must establish an access key, which should be configured as fileset parameters. This configuration enables the plugin to effectively retrieve or write data during backup or restore operations.

This plugin needs the following set of permissions to work appropriately: - Full EC2 service permissions for the target instances - Full EBS service permissions for the target volumes - Full S3 service permissions, so snapshots of the volumes can be created and removed - Full SSM service permissions, so images can be discovered using their associated tag paths (ssm:image/tag/path), and not only by their ids

To obtain complete EBS permissions, it is typically required to create a new policy via the IAM > Policies menu, as illustrated in the image below.

If we look at the policy contents in JSON, they should be like the following image shows:

Upon obtaining the EBS Policy, we can combine it with the existing policies for S3 and EC2 in order to grant a user the relevant permissions. The newly created EBS policy can be easily located using the search toolbar, along with the other two:

Note

It is recommended to create a new specific user for this plugin.

Permissions for the configured user should look like the following image shows:

User permissions — Amazon EC2 IAM User Permissions

Once we have the user, it is necessary to go to ‘Access keys’ and create a new one:

The Id of the key (AKIAQV… in the image) and the associated secret are the parameters to configure in the plugin fileset in ‘access_key’ and ‘access_secret’ parameters. Adding also the ‘region’ parameter should be enough to allow the plugin to connect to the target dataset to protect.