Using Arq with IAM

By

August 23rd, 2012

This post is for system administrators who support Arq on multiple computers. If that’s you, please read on!

IAM and Arq

If you need to install Arq on many computers using the same S3 account but you don’t want Arq to see the other computers’ backup data, use Amazon’s IAM (Identity and Access Management) to restrict what Arq sees.

The easiest way to do this is as follows:

  1. Use your main keys to install and configure Arq on a computer.
  2. Quit Arq and quit Arq Agent.
  3. Create an IAM user and capture its access key ID and secret access key.
  4. Look in (home)/Library/Arq/config/app_config.plist for the localS3BucketName and localComputerUUID values.
  5. Set up an IAM user with a policy that allows full access only to /<localComputerUUID> in the localS3BucketName, as well as “ListBucket” access (see example IAM policy below).
  6. Open the Keychain Access app and change the “Arq S3″ entry’s Account and Password fields to the access key ID and secret access key of that IAM user.
  7. Launch Arq.

Example IAM Policy

For computer with the following values:

  • localS3BucketName = akiaiyuk3n3tme6l4hfa.comhaystacksoftwarearq
  • localComputerUUID = 32D9D7A2-3B3E-4BE7-B85B-0605AF24F570

the IAM policy would look like this:

{
 "Statement": [
   {
     "Sid": "Stmt1344522941209",
     "Action": [
       "s3:ListBucket"
     ],
     "Effect": "Allow",
     "Resource": [
       "arn:aws:s3:::akiaiyuk3n3tme6l4hfacomhaystacksoftwarearq"
     ],
     "Condition": {
       "StringLike": {
         "s3:prefix": "32D9D7A2-3B3E-4BE7-B85B-0605AF24F570/*"
       }
     }
   },
   {
     "Sid": "Stmt1344522997713",
     "Action": [
       "s3:*"
     ],
     "Effect": "Allow",
     "Resource": [
       "arn:aws:s3:::akiaiyuk3n3tme6l4hfacomhaystacksoftwarearq/32D9D7A2-3B3E-4BE7-B85B-0605AF24F570/*"
     ]
   }
 ]
}

The first part gives “s3:ListBucket” permission for the user’s bucket, but only with a prefix starting with 32D9D7A2-3B3E-4BE7-B85B-0605AF24F570/* (her UUID).

The second part gives permission for all actions for resources starting with akiaiyuk3n3tme6l4hfacomhaystacksoftwarearq/32D9D7A2-3B3E-4BE7-B85B-0605AF24F570/*.

Answer Files and IAM

For information on automating Arq configuration using answer files and IAM, please read the Arq manual’s Configuring Arq Using an Answer File section.

Tags: , , ,