Discussions related to using object storage as a backup target.
Post Reply
brunom
Novice
Posts: 5
Liked: never
Joined: May 05, 2020 9:40 am
Contact:

How to Rotate Cloud credentials

Post by brunom »

Hi, "Changing access keys (which consist of an access key ID and a secret access key) on a regular schedule is a well-known security best practice". Via https://aws.amazon.com/blogs/security/h ... iam-users/

How do you do this in your Veeam setups? I know we could use PowerShell + AWS + Veeam Cmdlets.
Is there any hidden flag in Veeam B&R which does this for us?
Is this a feature Veeam would be willing to implement?

Regards
sfirmes
Veeam Software
Posts: 193
Liked: 105 times
Joined: Jul 24, 2018 8:38 pm
Full Name: Stephen Firmes
Contact:

Re: How to Rotate Cloud credentials

Post by sfirmes »

@brunom Welcome to the forums. If you change your access key/secret key, you can either update the existing credentials for your object storage repository or you can create a new set of credentials and use those for your object storage repository.

Hope this answers your question.

Steve
Senior Solutions Architect, Product Management - Alliances @ Veeam Software
brunom
Novice
Posts: 5
Liked: never
Joined: May 05, 2020 9:40 am
Contact:

Re: How to Rotate Cloud credentials

Post by brunom »

I should have added this: We want this to be done automatically on a regular schedule. For example every other week without having to do this manually.
dalbertson
Veeam Software
Posts: 492
Liked: 175 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: How to Rotate Cloud credentials

Post by dalbertson » 1 person likes this post

Use powershell and setup an automated weekly task in windows

https://helpcenter.veeam.com/docs/backu ... ml?ver=100
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
brunom
Novice
Posts: 5
Liked: never
Joined: May 05, 2020 9:40 am
Contact:

Re: How to Rotate Cloud credentials

Post by brunom »

Any way to retrieve the SecretAccessKeyfrom Veeam using scripts? Sadly Get-VBRAmazonAccount doesn't return the SecretAccessKey :/
The task works fine the way we implemented it (using the aws credentials in the user profile). But would prefer to not have to store/retrieve the SecretAccessKey to/from anywhere else.
veremin
Product Manager
Posts: 20258
Liked: 2248 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: How to Rotate Cloud credentials

Post by veremin »

No, there is no way to do that. As far as I remember, even Amazon allows you to get secret access key only during its creation. Thanks!
oleg.feoktistov
Veeam Software
Posts: 1889
Liked: 631 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: How to Rotate Cloud credentials

Post by oleg.feoktistov »

I doubt it would be very secure to have a way to retrieve it other than from the file AWS allows you to download upon access key creation.

@veremin, exactly so.

Code: Select all

MacBook-Air-3:.aws olegfeoktistov$ aws iam list-access-keys --user-name xxxx
{
    "AccessKeyMetadata": [
        {
            "UserName": "xxxx",
            "AccessKeyId": "XXXXXXXXXXXXXXXXXXXX",
            "Status": "Active",
            "CreateDate": "2020-05-11T19:02:56+00:00"
        }
    ]
}
How SecretAccessKey property from, let's say, Get-VBRAmazonAccount could be of any help in your case anyway?
brunom
Novice
Posts: 5
Liked: never
Joined: May 05, 2020 9:40 am
Contact:

Re: How to Rotate Cloud credentials

Post by brunom »

The Amazon PowerShell stores the accesskey and secretkey on the local computer and you can retrieve the secretkey from them, too.

What the scripts does right now to rotate the key:
1. New-IAMAccessKey # create new key on aws
2. Remove-IAMAccessKey # remove old key on aws
3. Set-AWSCredential # update aws credentials in local profile with new AccessKey / SecretKey
4. Set-VBRAmazonAccount # update aws credentials in veeam

If we could get the "SecretAccessKey property from, let's say, Get-VBRAmazonAccount" I would not permanently store the credentials in the local user profile anymore but rather create a temporary session credential object (by retrieving the accesskey/secretkey from veeam) to rotate the key and "forget the credentials" after closing the powershell session again.

Thinking about it again... From a security perspective it would be no difference if we could get the SecretAccessKey from Veeam compared to being able to retrieve it from the local user profile.
Optimally we would not be able to retrieve it at all - or even better: Veeam could rotate the key for us. <- Feature request
veremin
Product Manager
Posts: 20258
Liked: 2248 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: How to Rotate Cloud credentials

Post by veremin »

Amazon AWS itself does not allow you to programatically access secret keys, so, we're just following their security practices here, which make total sense - having an automatic way to retrieve user-specific password or secret key does not seem like a harmless option.

Also, I'm not sure how having Secret Key as property will help you to rotate the keys (you already seem to be doing exactly this, and doing correctly).

Thanks!
Post Reply

Who is online

Users browsing this forum: No registered users and 15 guests