This post is for system administrators who support Arq on multiple computers. If that’s you, please read on!
IAM and Arq
If you need to install Arq on many computers using the same S3 account but you don’t want Arq to see the other computers’ backup data, use Amazon’s IAM (Identity and Access Management) to restrict what Arq sees.
The easiest way to do this is as follows:
- Use your main keys to install and configure Arq on a computer.
- Quit Arq and quit Arq Agent.
- Create an IAM user and capture its access key ID and secret access key.
- Look in
(home)/Library/Arq/config/app_config.plistfor thelocalS3BucketNameandlocalComputerUUIDvalues. - Set up an IAM user with a policy that allows full access only to
/<localComputerUUID>in thelocalS3BucketName, as well as “ListBucket” access (see example IAM policy below). - Open the Keychain Access app and change the “Arq S3″ entry’s Account and Password fields to the access key ID and secret access key of that IAM user.
- Launch Arq.
Example IAM Policy
For computer with the following values:
- localS3BucketName = akiaiyuk3n3tme6l4hfa.comhaystacksoftwarearq
- localComputerUUID = 32D9D7A2-3B3E-4BE7-B85B-0605AF24F570
the IAM policy would look like this:
{
"Statement": [
{
"Sid": "Stmt1344522941209",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::akiaiyuk3n3tme6l4hfacomhaystacksoftwarearq"
],
"Condition": {
"StringLike": {
"s3:prefix": "32D9D7A2-3B3E-4BE7-B85B-0605AF24F570/*"
}
}
},
{
"Sid": "Stmt1344522997713",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::akiaiyuk3n3tme6l4hfacomhaystacksoftwarearq/32D9D7A2-3B3E-4BE7-B85B-0605AF24F570/*"
]
}
]
}
The first part gives “s3:ListBucket” permission for the user’s bucket, but only with a prefix starting with 32D9D7A2-3B3E-4BE7-B85B-0605AF24F570/* (her UUID).
The second part gives permission for all actions for resources starting with akiaiyuk3n3tme6l4hfacomhaystacksoftwarearq/32D9D7A2-3B3E-4BE7-B85B-0605AF24F570/*.
Answer Files and IAM
For information on automating Arq configuration using answer files and IAM, please read the Arq manual’s Configuring Arq Using an Answer File section.
Can we do this with Glacier too?
I’m trying to figure out how to create group permissions for backups that my family can use (right now I’m planning to buy one license per computer, but I’d love a pointer to the ’5 pack’ everyone keeps mentioning).
I’d like to give them access to a bucket/vault in S3 and Glacier specifically for this purpose, but not let each see the other’s backup.
It doesn’t look like a group policy will work (since you need to filter on the computer UUID) but I can’t figure out what the glacier policy would look like (since it looks like the vaults don’t all prefix w/ the UUID).
Thanks!
Comment by Jay — January 6, 2013 @ 2:49 pm
Oh, also for my buckets don’t have: “akiaiyuk3n3tme6l4hfacomhaystacksoftwarearq” in them.
They do end with “comhaystacksoftwarearq” but the jumble of text before that is different. I assume (and wanted to confirm for anyone reading this) that that line should change too.
Comment by Jay — January 6, 2013 @ 2:50 pm
I’m having “Error Denied” issues, similar to this post:
http://www.haystacksoftware.com/support/arqforum/topic.php?id=1160#post-2370
I was able to make it work w/ wide open permissions, hopefully confirming my user auth is correct, but the policy seems to have issues.
This is using both (key).comhaystacksoftwarearq and (key)comhaystacksoftwarearq syntax
I haven’t figured out how to get S3 logs (I told it to log but it doesn’t appear to be doing so) so I’m sorry I can’t provide more info.
Comment by Jay — January 6, 2013 @ 3:38 pm
Here’s what seems to have worked (at least it’s not throwing the error anymore) although I still have to find something more restrictive for Glacier:
{
“Statement”: [
{
"Action": [ "glacier:*" ],
“Effect”: “Allow”,
“Resource”: “arn:aws:glacier:us-east-1:(GLACIER#):*”
},
{
“Effect”: “Allow”,
“Action”: [
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketAcl",
"s3:GetBucketVersioning",
"s3:GetBucketRequestPayment",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucketMultipartUploads"
],
“Resource”: “*”,
“Condition”: {}
},
{
“Action”: [ "s3:*" ],
“Effect”: “Allow”,
“Resource”: [
"arn:aws:s3:::(AWS#)comhaystacksoftwarearq/(COMPUTER_UUID)/*"
]
}
]
}
Comment by Jay — January 6, 2013 @ 4:04 pm
I found these permissions were not enough on their own. I had to add an extra one “ListAllMyBuckets”:
{
“Sid”: “Stmt1357503196979″,
“Action”: [
"s3:ListAllMyBuckets"
],
“Effect”: “Allow”,
“Resource”: [
"*"
]
}
Comment by Paul Richards — January 6, 2013 @ 4:23 pm
Just a last [hopefully] heads up that I had to explicitly add another policy.
I received this error:
User: arn:aws:iam::462249308410:user/Somebody is not authorized to perform: glacier:ListVaults on resource: arn:aws:glacier:us-west-1:(GLACIER#):vaults/
So I added
{
“Action”: [ "glacier:ListVaults" ],
“Effect”: “Allow”,
“Resource”: “arn:aws:glacier:us-east-1:(GLACIER#):*”
},
Comment by Jay — January 12, 2013 @ 11:34 pm
These are the AWS transactions I see from ARQ while uploading and downloading from a Glacier store.
AmazonGlacier CreateVault
AmazonGlacier DeleteArchive
AmazonGlacier GetJobOutput
AmazonGlacier GetVaultNotifications
AmazonGlacier InitiateJob
AmazonGlacier ListVaults
AmazonGlacier UploadArchive
AmazonS3 CreateBucket
AmazonS3 GetObject
AmazonS3 HeadObject
AmazonS3 ListAllMyBuckets
AmazonS3 ListBucket
AmazonS3 PutObject
AmazonS3 ReadLocation
AmazonS3 ReadVersioningProps
AmazonS3 StandardStorage
AmazonSNS CreateTopic
AmazonSNS GetTopicAttributes
AmazonSNS ListSubscriptions
AmazonSNS ListSubscriptionsByTopic
AmazonSNS ListTopics
AmazonSNS Notification
AmazonSNS Publish
AmazonSNS Subscribe
AWSQueueService Create
AWSQueueService DeleteMessage
AWSQueueService DeleteQueue
AWSQueueService GetQueueAttributes
AWSQueueService List
AWSQueueService Receive
AWSQueueService Send
AWSQueueService SetQueueAttributes
Comment by glen — January 17, 2013 @ 1:13 pm