We are currently in the (long) process of configuring our Capacity and Archive Tiers in AWS, utilising S3 and Glacier.
We have been able to succesfully add our buckets to our infrastructure but we have come across a limitation with the creation of the temporary helper and archiver appliances.
I can see in the sysreqs that ec2: CreateKeyPair is required and when we tested without - it failed accordingly:
errorCode": "Client.UnauthorizedOperation","errorMessage": "You are not authorized to perform this operation. User: xxxxxxxxxxxxxxxxxxxxxxx is not authorized to perform: ec2:CreateKeyPair on resource: arn:aws:ec2:ap-southeast-2:779846780977:key-pair/KeyPair_197f3c0d-e412-4325-963c-36472224c3bf with an explicit deny in a service control policy. Encoded authorization failure message: ....
We had some questions from our Cloud Ops team as currently this permission is blocked Globally (i.e. even if permissions was given for the user, it will be blocked.) . Is there any possibility of using an existing keypair for those EC2 instances yet? I havent found much discussion around this (only a feature request for EC2 restore dating back to 2019).
I couldn't find a way to specify a specific key pair, but I can ask QA if we may have a registry key or another workaround. May I ask what the security concern is from your security team regarding allowing this single user to create such keys for the EC2 archiver appliance?
An EC2 key pair is created to enable authentication between the backup server and the EC2 helper appliance. It is only used for this appliance and is not used for any other appliances. Immediately after the archival session, the key pair is deleted together with the archiver appliance from AWS.
We are just try to go by least privileges possible i.e. we do not want this user to be able to create keypairs. If there is such a possiblity to use existing ones it would be fantastic
I discussed your question with our QA team. Currently, there is no workaround; the archiver appliance and necessary permissions are required for offloading from AWS capacity to the AWS archive tier. We will consider your request to allow selecting a custom key pair in a future version.
We currently use Deduplicating storage (Datadomain) as our primary backup storage. On the documentation it does not appear as a source target however we verified with our local SE that it was indeed supported. Could we get a confirmation on this? (we tried archiving a VeeamZIP and it failed with "Cannot find a Capacity Tier extent for dehydrated backup: ab2f3143-c07a-45c8-86ab-91274dff48d4"
I apologize, I was out of office this week
Thank you for your feedback.
I'll discuss the missing source (dedup appliances) for direct to archive tier with our help center team.
Thanks for the suggestions Fabian!