Skip to content
logo
Percona Backup for MongoDB
Automate access to S3 buckets for PBM
Initializing search
    percona/pbm-docs
    percona/pbm-docs
    • Home
      • How PBM works
      • Components
      • Supported MongoDB versions
      • Supported MongoDB deployments
      • Install
      • Set up and configure
      • Overview
      • Physical backups
      • Incremental physical backups
      • Logical backups
      • Selective backups
      • Point-in-Time Recovery
      • Start a backup
      • List backups
      • Restore a backup
      • View restore progress
      • Cancel a backup
      • Delete backups
      • View backup logs
      • Replay oplog from arbitrary start time
      • Architecture
      • Authentication
        • Overview
        • Remote backup configuration examples
      • Schedule backups
      • Configure PBM remotely
      • Upgrade PBM
      • Troubleshoot PBM
      • Automate access to S3 buckets for PBM
        • IAM instance profile
        • IAM Roles for Service Accounts (IRSA)
      • Remove PBM
    • FAQ
      • PBM commands
        • Configuration file
        • Remote backup storage options
        • Point-in-time recovery options
        • Backup options
        • Restore options
      • Glossary
      • Release notes index
      • Percona Backup for MongoDB 2.0.5 (2023-03-23)
      • Percona Backup for MongoDB 2.0.4 (2023-02-21)
      • Percona Backup for MongoDB 2.0.3 (2023-01-11)
      • Percona Backup for MongoDB 2.0.2 (2022-10-27)
      • Percona Backup for MongoDB 2.0.1 (2022-10-12)
      • Percona Backup for MongoDB 2.0.0 (2022-09-21)
      • Percona Backup for MongoDB 1.8.1 (2022-07-12)
      • Percona Backup for MongoDB 1.8.0 (2022-06-09)
      • Percona Backup for MongoDB 1.7.0 (2022-04-18)
      • Percona Backup for MongoDB 1.6.1 (2021-11-04)
      • Percona Backup for MongoDB 1.6.0 (2021-08-16)
      • Percona Backup for MongoDB 1.5.0 (2021-05-10)
      • Percona Backup for MongoDB 1.4.1 (2021-01-28)
      • Percona Backup for MongoDB 1.4.0 (2020-12-24)
      • Percona Backup for MongoDB 1.3.4 (2020-11-19)
      • Percona Backup for MongoDB 1.3.3 (2020-11-04)
      • Percona Backup for MongoDB 1.3.2 (2020-10-14)
      • Percona Backup for MongoDB 1.3.1 (2020-09-03)
      • Percona Backup for MongoDB 1.3.0 (2020-08-26)
      • Percona Backup for MongoDB 1.2.1 (2020-07-27)
      • Percona Backup for MongoDB 1.2.0 (2020-05-13)
      • Percona Backup for MongoDB 1.1.3 (2020-04-14)
      • Percona Backup for MongoDB 1.1.1 (2020-01-31)
      • Percona Backup for MongoDB 1.1.0 (2020-01-16)
      • Percona Backup for MongoDB 1.0.0 (2019-09-19)
      • Percona Backup for MongoDB 0.5.0 (2019-06-17)
    • Submitting bug reports or feature requests
    • Copyright and Licensing
    • Trademark policy

    • IAM instance profile
    • IAM Roles for Service Accounts (IRSA)

    Automate access to S3 buckets for Percona Backup for MongoDB¶

    When you run MongoDB and Percona Backup for MongoDB using AWS resources (on EC2 instances or using EKS), you can automate access to AWS S3 buckets for Percona Backup for MongoDB. Percona Backup for MongoDB uses the AWS environment variables and metadata to access S3 buckets so that you don’t have to explicitly specify the S3 credentials in the PBM configuration file. Thereby you control the access to your cloud infrastructure from a single place.

    IAM instance profile¶

    Version added: 1.6.0

    IAM (Identity Access Management) is the AWS service that allows you to securely control access to AWS resources.

    Using the IAM instance profile, you can automate access to S3 buckets for Percona Backup for MongoDB running on EC2 instance. The steps are the following:

    1. Create the IAM instance profile and the permission policy within where you specify the access level that grants the access to S3 buckets.

    2. Attach the IAM profile to an EC2 instance.

    3. Configure an S3 storage bucket and verify the connection from the EC2 instance to it.

    4. Provide the remote storage information for PBM in a config file. Leave the s3.credentials array empty

      storage:
        type: s3
        s3:
         region: <your-S3-region>
         bucket: <bucket-name>
      

      Note

      If you specify S3 credentials, they override the EC2 instance environment variables and metadata, and are used for authentication instead.

    5. Start the pbm-agent process

    See also

    AWS documentation: How can I grant my Amazon EC2 instance access to an Amazon S3 bucket?

    IAM Roles for Service Accounts (IRSA)¶

    Version added: 2.0.3

    IRSA is the native way for AWS EKS (Amazon Elastic Kubernetes Service) to allow applications running in EKS pods to access the AWS API using permissions configured in AWS IAM roles.

    To benefit from using the AWS IRSA credentials with PBM, the high-level steps are the following:

    1. Create a cluster with eksctl and OIDC provider setup enabled. This feature works with EKS clusters version 1.13 and above.
    2. Create an IAM role and specify the policy that defines the access to an S3 bucket.
    3. Create a service account and annotate it with the IAM role.
    4. Configure your pod by using the service account created in the previous step and assume the IAM role.
    5. Provide the remote storage information for PBM in a config file. Leave the s3.credentials array empty, since PBM uses the AWS_ROLE_ARN/AWS_WEB_IDENTITY_TOKEN_FILE environment variables which are either automatically provided (i.e. injected by Kubernetes mutating admission controller in EKS) or which you can define manually (if you don’t want to the admission controller to modify your pods)

    Note

    If IRSA-related credentials are defined, they have the priority over any IAM instance profile. However, if you intentionally specify S3 credentials in PBM configuration file, they override any IRSA/IAM instance profile related credentials and are used for authentication instead.

    See also

    AWS documentation:

    • Introducing fine-grained IAM roles for service accounts
    • How do I use the IAM roles for service accounts (IRSA) feature with Amazon EKS to restrict access to an Amazon S3 bucket?

    Contact Us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.


    Last update: March 23, 2023
    Created: March 23, 2023
    Percona LLC and/or its affiliates, © 2023
    Made with Material for MkDocs

    Cookie consent

    We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our documentation and whether users find what they're searching for. With your consent, you're helping us to make our documentation better.