Skip to main content
Version: Develop

Using AWS Instance Profiles

In order to enable the use of AWS IAM Instance Profiles within the a9s Data Services it is necessary, aside from the prerequisites listed later on, to implement the following changes:

  • Extend the BOSH cloud config with your AWS Instance Profile as a VM extension
  • Enable the AWS Instance Profiles within the Service Instance itself, via an in-line custom Ops file.
  • Attach the new VM extension to the backup_manager instance group in the a9s Backup Service's manifest
  • Add the use_iam_profile parameter to the plugin_configuration section of the anynines-backup-manager job and to theconfig section of backup-monit job, in the a9s Backup Service's manifest.
  • Remove the aws_access_key_id and aws_secret_access_key parameters from the plugin_configuration section of the anynines-backup-manager and from theconfig section of backup-monit job, in the a9s Backup Service's manifest.

Prerequisites

  • An AWS IAM Instance Profile with a role that has proper permissions to the bucket/container.

Extending the BOSH cloud config

You can extend the BOSH cloud config by executing the update-cloud-config command alongside an Ops-file containing the AWS IAM Instance Profile you have previously set up. An example Ops-file to extend the cloud config can be found here.

The command should look like the following example:

bosh update-cloud-config cloud-config.yml -o extend-cloud-config-with-aws-instance-profiles.yml

This adds an entry to the cloud config similar to the example below:

vm_extensions:
- cloud_properties:
iam_instance_profile: <iam_instance_profile_name>
name: <vm_extension_name>
info

The existing ops files are using backup_aws_instance_profile as <vm_extension_name>.

Extending the a9s Data Services' Templates

In order for the a9s Data Service Instances to use the AWS IAM Instance Profiles it is necessary to extend them via a service-specific Ops file (i.e., each service has its own Ops file). After applying this in-line Ops file, the template-uploader and the deployment-updater errands must be executed, in that order.

The commands should look like the following example:

bosh -d <data_service> <data_service_manifest> -o <data_service>/ops/enable-service-instances-aws-instance-profiles.yml
bosh -d <data_service> run-errand template-uploader
bosh -d <data_service> run-errand deployment-updater

This adds an in-line Ops file similar to the example below:

- type: replace
path: /instance_groups/name=templates-uploader/jobs/name=template-uploader/properties/template-uploader/template-custom-ops?
value: |
- type: replace
path: /instance_groups/name=redis/vm_extensions?
value: [<vm_extension_name>]
info

The existing ops files are using backup_aws_instance_profile as <vm_extension_name>.

Extending the a9s-pg Manifest

In order for a9s-pg to use the AWS IAM Instance Profiles it is necessary to extend them via a service-specific Ops file.

The commands should look like the following example:

bosh -d a9s-pg a9s-pg.yml -o a9s-pg/ops/enable-service-instances-aws-instance-profiles.yml
- type: replace
path: /instance_groups/name=pg/vm_extensions?
value: [<vm_extension_name>]
info

The existing ops files are using backup_aws_instance_profile as <vm_extension_name>.

Extending the a9s Backup Service's Manifest

caution

Before extending the a9s Backup Service's manifest, be sure to execute the steps described for the cloud config and the templates, in that order. If these steps are skipped/omitted the a9s Data Services will be unable to trigger backups or restore them.

To apply the necessary changes to the a9s Backup Service's manifest, you can refer to the example Ops-file here.

This Ops-file removes the unnecessary parameters, adds the use_iam_profile parameter and attaches the vm_extension section. Once the a9s Backup Service is redeployed, it will use the AWS IAM Instance Profile to fetch the necessary credentials.