How to Rotate Cloud credentials

[brunom]

Hi, "Changing access keys (which consist of an access key ID and a secret access key) on a regular schedule is a well-known security best practice". Via https://aws.amazon.com/blogs/security/h ... iam-users/

How do you do this in your Veeam setups? I know we could use PowerShell + AWS + Veeam Cmdlets.
Is there any hidden flag in Veeam B&R which does this for us?
Is this a feature Veeam would be willing to implement?

Regards

[sfirmes]

@brunom Welcome to the forums. If you change your access key/secret key, you can either update the existing credentials for your object storage repository or you can create a new set of credentials and use those for your object storage repository.

Hope this answers your question.

Steve

[brunom]

I should have added this: We want this to be done automatically on a regular schedule. For example every other week without having to do this manually.

[dalbertson]

Use powershell and setup an automated weekly task in windows

https://helpcenter.veeam.com/docs/backu ... ml?ver=100

[brunom]

Any way to retrieve the SecretAccessKeyfrom Veeam using scripts? Sadly Get-VBRAmazonAccount doesn't return the SecretAccessKey :/
The task works fine the way we implemented it (using the aws credentials in the user profile). But would prefer to not have to store/retrieve the SecretAccessKey to/from anywhere else.

[veremin]

No, there is no way to do that. As far as I remember, even Amazon allows you to get secret access key only during its creation. Thanks!

[oleg.feoktistov]

I doubt it would be very secure to have a way to retrieve it other than from the file AWS allows you to download upon access key creation.

@veremin, exactly so.

Code: Select all

MacBook-Air-3:.aws olegfeoktistov$ aws iam list-access-keys --user-name xxxx
{
    "AccessKeyMetadata": [
        {
            "UserName": "xxxx",
            "AccessKeyId": "XXXXXXXXXXXXXXXXXXXX",
            "Status": "Active",
            "CreateDate": "2020-05-11T19:02:56+00:00"
        }
    ]
}

How SecretAccessKey property from, let's say, Get-VBRAmazonAccount could be of any help in your case anyway?

[brunom]

The Amazon PowerShell stores the accesskey and secretkey on the local computer and you can retrieve the secretkey from them, too.

What the scripts does right now to rotate the key:
1. New-IAMAccessKey # create new key on aws
2. Remove-IAMAccessKey # remove old key on aws
3. Set-AWSCredential # update aws credentials in local profile with new AccessKey / SecretKey
4. Set-VBRAmazonAccount # update aws credentials in veeam

If we could get the "SecretAccessKey property from, let's say, Get-VBRAmazonAccount" I would not permanently store the credentials in the local user profile anymore but rather create a temporary session credential object (by retrieving the accesskey/secretkey from veeam) to rotate the key and "forget the credentials" after closing the powershell session again.

Thinking about it again... From a security perspective it would be no difference if we could get the SecretAccessKey from Veeam compared to being able to retrieve it from the local user profile.
Optimally we would not be able to retrieve it at all - or even better: Veeam could rotate the key for us. <- Feature request

[veremin]

Amazon AWS itself does not allow you to programatically access secret keys, so, we're just following their security practices here, which make total sense - having an automatic way to retrieve user-specific password or secret key does not seem like a harmless option.

Also, I'm not sure how having Secret Key as property will help you to rotate the keys (you already seem to be doing exactly this, and doing correctly).

Thanks!