Short living AWS access keys/secrets keys

[mkuendig]

We are setting up with a Veeam customer an object offload to AWS S3. We have learned from Veeam employees that the only way to authenticate with AWS is to use static access keys and secret keys. As static keys are frowned upon in the cloud community we wanted to ask if Veeam is working on more secure authentication scenarios like to use OIDC as gitlab does it:

https://docs.gitlab.com/ee/ci/cloud_services/aws/

Or for example to integrate with AWS IAM Roles anywhere?

https://aws.amazon.com/blogs/security/e ... -anywhere/

That would give us short running access token that would be a lot more secure.

Thanks,
marco

[veremin]

Yes, we've investigated the IAM Roles Anywhere concept briefly and at least the next minor release will not have it supported.

But we'd like to clarify how you envision the configuration workflow, assuming IAM Roles Anywhere was supported. A user configures a trust anchor in the AWS certificate manager, creates IAM roles with required permissions, adds the trust policy to allow the backup server to assume them, and finally makes a profile in IAM roles anywhere. After that, the user goes to the backup server and adds the role using a certificate, its private key, trust anchor identifier, role identifier, and profile identifier? Something along these lines?

Thanks!

[mkuendig]

Thanks Veremin for your answer. Yeah, that is pretty much inline with our thinking.

[veremin]

Got it, thanks for the feedback, we will keep it in mind when we start working on IAM Roles Anywhere support.