Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add docs for required minimal permissions of the fdbbackup and backup_agent #11724

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+29 −0
Open

Add docs for required minimal permissions of the fdbbackup and backup_agent #11724

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
39cb038
Add docs for required minimal permissions of the fdbbackup and backup…
johscheuer Oct 22, 2024
fcacfbd
Update docs with feedback
johscheuer Nov 25, 2024
2a6a432
Fix Title underline too short
johscheuer Nov 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions documentation/sphinx/source/backups.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,35 @@ By default, the FoundationDB packages are configured to start a single ``backup_

If instead you want to perform a backup to the local disk of a particular machine or machines which are not network accessible to the FoundationDB servers, then you should disable the backup agents on the FoundationDB servers. This is accomplished by commenting out all of the ``[backup_agent.<ID>]`` sections in :ref:`foundationdb.conf <foundationdb-conf>`. Do not comment out the global ``[backup_agent]`` section. Next, start backup agents on the destination machine or machines. Now, when you start a backup, you can specify the destination directory (as a Backup URL) using a local path on the destination machines. The backup agents will fetch data from the database and store it locally on the destination machines.

Blobstore Access Permissions
============================

If a remote blobstore, like AWS S3, is used to store the backup data, you should ensure to restrict the backup agent permissions as much as possible.
You can either use the same policy for the ``backup_agent`` and ``fdbbackup`` or separate those.
Note: Your actual required permissions might be different, depending on your setup and requirements.

Required permissions for the ``backup_agent`` and ``fdbbackup`` at the bucket level:

::

s3:ListBucket


Required permissions for the ``backup_agent`` and ``fdbbackup`` at the object level for a specific bucket:

::

s3:AbortMultipartUpload
s3:PutObject
s3:GetObject
s3:DeleteObject
s3:ListBucketMultipartUploads
s3:ListMultipartUploadParts

Note: If you want that the ``backup_agent`` or ``fdbbackup`` can create a bucket, you have to add the ``s3:CreateBucket`` permission.
If you want to encrypt the data at rest in S3 you have to make sure that S3 is properly configured and that the `backup_agent` and `fdbbackup` have access to `KMS <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.html>`_.
For additional information read the AWS S3 documention for `Policy Actions <https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-policy-actions.html>`_ or the equivalent documentation for your blobstore.

Backup URLs
===========

Expand Down