Using AWS Instance Profiles
In order to enable the use of AWS IAM Instance Profiles within the a9s Data Services it is necessary, aside from the prerequisites listed later on, to implement the following changes:
- Extend the BOSH cloud config with your AWS Instance Profile as a VM extension
- Enable the AWS Instance Profiles within the Service Instance itself, via an in-line custom Ops file.
- Attach the new VM extension to the
backup_manager
instance group in the a9s Backup Service's manifest - Add the
use_iam_profile
parameter to theplugin_configuration
section of theanynines-backup-manager
job and to theconfig
section ofbackup-monit
job, in the a9s Backup Service's manifest. - Remove the
aws_access_key_id
andaws_secret_access_key
parameters from theplugin_configuration
section of theanynines-backup-manager
and from theconfig
section ofbackup-monit
job, in the a9s Backup Service's manifest.
Prerequisites
- An AWS IAM Instance Profile with a role that has proper permisions to the bucket/container.
Extending the BOSH cloud config
You can extend the BOSH cloud config by executing the update-cloud-config
command alongside an Ops-file containing the
AWS IAM Instance Profile you have previously set up. An example Ops-file to extend the cloud config can be found here.
The command should look like the following example:
bosh update-cloud-config cloud-config.yml -o extend-cloud-config-with-aws-instance-profiles.yml
This adds an entry to the cloud config similar to the example below:
vm_extensions:
- cloud_properties:
iam_instance_profile: <iam_instance_profile_name>
name: <vm_extension_name>
The existing ops files are using backup_aws_instance_profile
as <vm_extension_name>
.
Extending the a9s Data Services' Templates
In order for the a9s Data Service instances to use the AWS IAM Instance Profiles it is necessary to extend them via a
service-specific Ops file (i.e., each service has its own Ops file). After applying this in-line Ops file, the
template-uploader
and the deployment-updater
errands must be executed, in that order.
The commands should look like the following example:
bosh -d <data_service> <data_service_manifest> -o <data_service>/ops/enable-service-instances-aws-instance-profiles.yml
bosh -d <data_service> run-errand template-uploader
bosh -d <data_service> run-errand deployment-updater
This adds an in-line Ops file similar to the example below:
- type: replace
path: /instance_groups/name=templates-uploader/jobs/name=template-uploader/properties/template-uploader/template-custom-ops?
value: |
- type: replace
path: /instance_groups/name=redis/vm_extensions?
value: [<vm_extension_name>]
The existing ops files are using backup_aws_instance_profile
as <vm_extension_name>
.
Extending the a9s PG Manifest
In order for a9s PG to use the AWS IAM Instance Profiles it is necessary to extend them via a service-specific Ops file.
The commands should look like the following example:
bosh -d a9s-pg a9s-pg.yml -o a9s-pg/ops/enable-service-instances-aws-instance-profiles.yml
- type: replace
path: /instance_groups/name=pg/vm_extensions?
value: [<vm_extension_name>]
The existing ops files are using backup_aws_instance_profile
as <vm_extension_name>
.
Extending the a9s Backup Service's Manifest
Before extending the a9s Backup Service's manifest, be sure to execute the steps described for the cloud config and the templates, in that order. If these steps are skipped/omitted the a9s Data Services will be unable to trigger backups or restore them.
To apply the necessary changes to the a9s Backup Service's manifest, you can refer to the example Ops-file here.
This Ops-file removes the unnecessary parameters, adds the use_iam_profile
parameter and attaches the vm_extension
section. Once the a9s Backup Service is redeployed, it will use the AWS IAM Instance Profile to fetch the necessary
credentials.