Skip to content

Amazon Web Services

The best approach to backup Kubernetes clusters running in Amazon Web Services (AWS) is to give the Afi backup agent access to manage volume snapshots directly via AWS API instead of generic CSI API. With this integration Afi uses changes block tracking API provided by AWS to perform fast and lightweight incremental backups.

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied.

To use the AWS API for snapshot management, you need to create a service account with a custom IAM policy that allows snapshot-related operations, and share the service account credentials with the Afi backup agent. The steps are described in details below.

Create an IAM policy

Below is the JSON description of an AWS IAM policy required for snapshot management. Save it to a file named policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:DeleteSnapshot",
        "ec2:DescribeSnapshots",
        "ec2:CreateVolume",
        "ec2:DeleteVolume",
        "ec2:DescribeVolumes",
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ebs:ListSnapshotBlocks",
        "ebs:ListChangedBlocks",
        "ebs:GetSnapshotBlock"
      ],
      "Resource": "*"
    }
  ]
}

Create an IAM policy in your AWS account:

aws iam create-policy --policy-name k8sbackup-policy \
    --policy-document file://policy.json

For more information, please see Creating IAM policies article in AWS documentation.

Create a service account and attach the policy

Create an AWS IAM user k8sbackup :

aws iam create-user --user-name k8sbackup

Attach k8sbackup-policy created in the previous section to the k8sbackup user (replace ${AccountId} with your AWS account id):

aws iam attach-user-policy \
    --user-name k8sbackup \
    --policy-arn arn:aws:iam::${AccountId}:policy/k8sbackup-policy

Create an access key for the k8sbackup user and save AccessKeyld and SecretAccessKey values for later use:

aws iam create-access-key --user-name k8sbackup

For more information, please see Creating an IAM user article in the AWS documentation.

Create aws-api-key Secret and restart the backup agent

Create a Kubernetes Secret named aws-api-key in the namespace where the Afi backup agent is installed:

kubectl -n backup-agent create secret generic aws-api-key \
    --from-literal=access-key-id=${AccessKeyId} \
    --from-literal=secret-access-key=${SecretAccessKey}

Restart a daemonset that makes snapshots of persistent volumes:

kubectl -n backup-agent rollout restart ds/pvsnapshotter