wordpress 注册界面,优化公司治理结构的措施,拉新项目官方一手平台,甘肃省建筑信息平台引言
在尝试从Step Functions执行AWS Backup的按需备份时#xff0c;我在权限方面遇到了一些困难。为了备忘#xff0c;我将这些经验写成这篇文章。
概述
从Step Functions执行AWS Backup时#xff0c;需要分配以下权限#xff1a;
AWS Backup相关权限
执行备份的权限…引言
在尝试从Step Functions执行AWS Backup的按需备份时我在权限方面遇到了一些困难。为了备忘我将这些经验写成这篇文章。
概述
从Step Functions执行AWS Backup时需要分配以下权限
AWS Backup相关权限
执行备份的权限
Step Functions相关权限
将上述角色传递给其他服务的权限对保存目标的BackupVault执行StartBackupJob的权限
下面将包含一个使用Step Functions执行按需备份的CloudFormation代码示例。
参考
AWS Backup 和 AWS CloudFormation CloudFormation代码
作为最简单的构成我们将创建以下资源
BackupVault备份用RoleStep Functions用Role执行按需备份的StateMachine
以下是CloudFormation代码在执行时需要指定目标EC2实例的ARN作为参数。
AWSTemplateFormatVersion: 2010-09-09Parameters:Ec2Arn:Type: StringDefault: tokyo-endpointResources:MyBackupVault:Type: AWS::Backup::BackupVaultProperties:BackupVaultName: for-stepfunctionsMyBackupRole:Type: AWS::IAM::RoleProperties:AssumeRolePolicyDocument:Version: 2012-10-17Statement:- Effect: AllowPrincipal:Service:- backup.amazonaws.comAction:- sts:AssumeRolePath: /ManagedPolicyArns:- arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup# - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestoresSMRole: Type: AWS::IAM::RoleProperties:AssumeRolePolicyDocument:Version: 2012-10-17Statement:- Effect: AllowPrincipal:Service:- states.amazonaws.comAction:- sts:AssumeRolePath: /Policies:# - PolicyName: allowSsm# PolicyDocument:# Version: 2012-10-17# Statement:# - Effect: Allow# Action:# - ssm:SendCommand# Resource: *- PolicyName: allowBackupJobPolicyDocument:Version: 2012-10-17Statement:- Effect: AllowAction:- backup:StartBackupJobResource: # - !Sub arn:aws:backup:${AWS::Region}:${AWS::AccountId}:backup-vault:*- !GetAtt MyBackupVault.BackupVaultArn- Effect: AllowAction:- iam:PassRoleResource: - !GetAtt MyBackupRole.ArnexecuteEc2BackupStateMachine:Type: AWS::StepFunctions::StateMachineProperties:RoleArn: !GetAtt SMRole.ArnDefinition:StartAt: StartBackupJobStates: StartBackupJob: Type: TaskResource: arn:aws:states:::aws-sdk:backup:startBackupJobParameters: BackupVaultName: !Ref MyBackupVaultIamRoleArn: !GetAtt MyBackupRole.ArnResourceArn: !Ref Ec2ArnEnd: true以下是将要创建的StateMachine的示例。 由于包含了一些额外的注释因此我们将对每个资源进行简要说明。
备份用角色 MyBackupRole:Type: AWS::IAM::RoleProperties:AssumeRolePolicyDocument:Version: 2012-10-17Statement:- Effect: AllowPrincipal:Service:- backup.amazonaws.comAction:- sts:AssumeRolePath: /ManagedPolicyArns:- arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup# - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores以下内容在allowBackupJob中解决 发送先前创建的备份角色的权限StartBackupJob对BackupVault的权限在代码开头创建 如果您想将其用于任何 BackupVault请使用注释掉的那个。注释掉的allowSsm是允许Systems Manager的SendCommand 我假设您想“在备份之前和之后运行脚本来停止/启动服务” 状态
Step Functions 中定义的用于执行按需备份的单一状态如下。 States: StartBackupJob: Type: TaskResource: arn:aws:states:::aws-sdk:backup:startBackupJobParameters: BackupVaultName: !Ref MyBackupVaultIamRoleArn: !GetAtt MyBackupRole.ArnResourceArn: !Ref Ec2ArnEnd: truebackup:startBackupJob的参数如下。
https://docs.aws.amazon.com/aws-backup/latest/devguide/API_StartBackupJob.htmlhttps://docs.aws.amazon.com/aws-backup/latest/devguide/API_StartBackupJob.html 结语
这次我们以从Step Functions使用AWS Backup为例讨论了相关的权限问题。AWS Backup也可以通过其调度功能进行备份但如果需要在备份前后进行其他处理可以参考本文使用Step Functions的方法。希望这篇文章能对您有所帮助。