Short living AWS access keys/secrets keys

[mkuendig]

We are setting up with a Veeam customer an object offload to AWS S3. We have learned from Veeam employees that the only way to authenticate with AWS is to use static access keys and secret keys. As static keys are frowned upon in the cloud community we wanted to ask if Veeam is working on more secure authentication scenarios like to use OIDC as gitlab does it:

https://docs.gitlab.com/ee/ci/cloud_services/aws/

Or for example to integrate with AWS IAM Roles anywhere?

https://aws.amazon.com/blogs/security/e ... -anywhere/

That would give us short running access token that would be a lot more secure.

Thanks,
marco

[veremin]

Yes, we've investigated the IAM Roles Anywhere concept briefly and at least the next minor release will not have it supported.

But we'd like to clarify how you envision the configuration workflow, assuming IAM Roles Anywhere was supported. A user configures a trust anchor in the AWS certificate manager, creates IAM roles with required permissions, adds the trust policy to allow the backup server to assume them, and finally makes a profile in IAM roles anywhere. After that, the user goes to the backup server and adds the role using a certificate, its private key, trust anchor identifier, role identifier, and profile identifier? Something along these lines?

Thanks!

[mkuendig]

Thanks Veremin for your answer. Yeah, that is pretty much inline with our thinking.

[veremin]

Got it, thanks for the feedback, we will keep it in mind when we start working on IAM Roles Anywhere support.

[stewsie]

Hi

Has there been any change with this? I am starting a proof of concept using Veeam to backup M365 to AWS S3 storage and need to determine the type of access key to create

[HannesK]

Hello,
sorry, no changes so far.

Best regards,
Hannes

[stewsie]

Thanks for the update. Which type of access key should be created in AWS? I cannot find anything in the Veeam M365 documentation.

Should I create "Third Party Service" or "Application running outside AWS" access key?

I have emailed our contact in Veeam who is assisting with our proof of concept testing but no response as yet.

Thanks

[Mildur]

Hi Paul

You can use "Application running outside AWS" (that's what I do for my lab).
If I understand it correctly, the selected use case does not affect any settings around the access key.
Amazon wants to know your use case and then suggests alternatives to access keys if available.
VB365 (and VBR) requires access keys. The provided alternatives will not work.

Best,
Fabian

[nkerwin]

Hello
Has there been any progress with this feature?
Thanks