Discussions related to using object storage as a backup target.
Post Reply
pouya
Influencer
Posts: 11
Liked: 1 time
Joined: Jun 18, 2018 12:00 am
Full Name: Phillip Ou Yang
Location: Sydney, Australia
Contact:

Keypairs for EC2 Appliances?

Post by pouya »

Hey everyone,

We are currently in the (long) process of configuring our Capacity and Archive Tiers in AWS, utilising S3 and Glacier.
We have been able to succesfully add our buckets to our infrastructure but we have come across a limitation with the creation of the temporary helper and archiver appliances.

I can see in the sysreqs that ec2: CreateKeyPair is required and when we tested without - it failed accordingly:

Code: Select all

errorCode": "Client.UnauthorizedOperation","errorMessage": "You are not authorized to perform this operation. User: xxxxxxxxxxxxxxxxxxxxxxx is not authorized to perform: ec2:CreateKeyPair on resource: arn:aws:ec2:ap-southeast-2:779846780977:key-pair/KeyPair_197f3c0d-e412-4325-963c-36472224c3bf with an explicit deny in a service control policy. Encoded authorization failure message: ....
We had some questions from our Cloud Ops team as currently this permission is blocked Globally (i.e. even if permissions was given for the user, it will be blocked.) . Is there any possibility of using an existing keypair for those EC2 instances yet? I havent found much discussion around this (only a feature request for EC2 restore dating back to 2019).

Thanks!
Mildur
Product Manager
Posts: 9793
Liked: 2586 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Keypairs for EC2 Appliances?

Post by Mildur »

Hello Phillip,

I couldn't find a way to specify a specific key pair, but I can ask QA if we may have a registry key or another workaround. May I ask what the security concern is from your security team regarding allowing this single user to create such keys for the EC2 archiver appliance?

An EC2 key pair is created to enable authentication between the backup server and the EC2 helper appliance. It is only used for this appliance and is not used for any other appliances. Immediately after the archival session, the key pair is deleted together with the archiver appliance from AWS.

Best regards,
Fabian
Product Management Analyst @ Veeam Software
pouya
Influencer
Posts: 11
Liked: 1 time
Joined: Jun 18, 2018 12:00 am
Full Name: Phillip Ou Yang
Location: Sydney, Australia
Contact:

Re: Keypairs for EC2 Appliances?

Post by pouya »

We are just try to go by least privileges possible i.e. we do not want this user to be able to create keypairs. If there is such a possiblity to use existing ones it would be fantastic
Mildur
Product Manager
Posts: 9793
Liked: 2586 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Keypairs for EC2 Appliances?

Post by Mildur »

Thank you.
I've contacted our QA team to see if there is a workaround or registry key available today.

Best regards,
Fabian
Product Management Analyst @ Veeam Software
Mildur
Product Manager
Posts: 9793
Liked: 2586 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Keypairs for EC2 Appliances?

Post by Mildur »

Hi Phillip,

I discussed your question with our QA team. Currently, there is no workaround; the archiver appliance and necessary permissions are required for offloading from AWS capacity to the AWS archive tier. We will consider your request to allow selecting a custom key pair in a future version.

Since v12.2, we support direct Archive Tier offload from any Performance Tier which does not require an archiver appliance in AWS. Have you considered using this offload option?

Best,
Fabian
Product Management Analyst @ Veeam Software
pouya
Influencer
Posts: 11
Liked: 1 time
Joined: Jun 18, 2018 12:00 am
Full Name: Phillip Ou Yang
Location: Sydney, Australia
Contact:

Re: Keypairs for EC2 Appliances?

Post by pouya »

Hi Fabian,

We currently use Deduplicating storage (Datadomain) as our primary backup storage. On the documentation it does not appear as a source target however we verified with our local SE that it was indeed supported. Could we get a confirmation on this? (we tried archiving a VeeamZIP and it failed with "Cannot find a Capacity Tier extent for dehydrated backup: ab2f3143-c07a-45c8-86ab-91274dff48d4"
pouya
Influencer
Posts: 11
Liked: 1 time
Joined: Jun 18, 2018 12:00 am
Full Name: Phillip Ou Yang
Location: Sydney, Australia
Contact:

Re: Keypairs for EC2 Appliances?

Post by pouya »

Nevermind, it works! :D Thanks for the suggestions Fabian!
Mildur
Product Manager
Posts: 9793
Liked: 2586 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Keypairs for EC2 Appliances?

Post by Mildur »

Hi Phillip,

I apologize, I was out of office this week :)
Thank you for your feedback.
I'll discuss the missing source (dedup appliances) for direct to archive tier with our help center team.

Best regards,
Fabian
Product Management Analyst @ Veeam Software
Post Reply

Who is online

Users browsing this forum: Amazon [Bot] and 5 guests