Velero: Document required IAM permissions

Created on 16 Aug 2017 · 8Comments · Source: vmware-tanzu/velero

I understand that ARK is a moving target at this point, so it may not be advisable yet, but it would be helpful in Cloud Provider Specifics to catalog the required IAM policies necessary for the project to operate effectively.

As it stands now, the permissions are overly permissive. Pairing them down to be what's needed would reduce the friction of deploying ARK in a "real" environment.

AreClouAWS P1 - Important

Source

jrnt30

👍3

Most helpful comment

seems to be working, here's the policy made for reference:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1510099580000",
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:CopySnapshot",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes",
                "ec2:DetachVolume",
                "ec2:CreateSnapshot",
                "ec2:DeleteSnapshot",
                "ec2:ImportSnapshot",
                "ec2:CreateTags"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1510099762000",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionTorrent",
                "s3:GetReplicationConfiguration",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::ark-backups-*"
            ]
        }
    ]
}

I'll try pairing it down further and see what breaks.

blakebarnett on 8 Nov 2017

👍6 ❤2

All 8 comments

Cc @mattmoyer

ncdc on 16 Aug 2017

@jrnt30 thanks for filing this. It's definitely something I would like to tackle. We can probably take an evidence-based approach working backwards from CloudTrail logs. We might also generate separate IAM policies for backup-only and restore-only modes.

mattmoyer on 28 Aug 2017

👍1

Is there anything preliminary on this? I'm about to setup a new AWS IAM role for ark and can't really go to prod with it having full EC2 privs.

blakebarnett on 7 Nov 2017

It needs to be able to list the contents of an s3 bucket, put objects, get objects, delete objects. It needs to be able to describe ebs volumes, create ebs volumes, create ebs snapshots, delete ebs snapshots. There may be more, that should should cover most of it.

ncdc on 7 Nov 2017

Does it need to be able to create arbitrary buckets or can it be limited to just the one it's given in the config?

blakebarnett on 8 Nov 2017

seems to be working, here's the policy made for reference:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1510099580000",
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:CopySnapshot",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes",
                "ec2:DetachVolume",
                "ec2:CreateSnapshot",
                "ec2:DeleteSnapshot",
                "ec2:ImportSnapshot",
                "ec2:CreateTags"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1510099762000",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionTorrent",
                "s3:GetReplicationConfiguration",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::ark-backups-*"
            ]
        }
    ]
}

I'll try pairing it down further and see what breaks.

blakebarnett on 8 Nov 2017

👍6 ❤2