Scenario
This procedure is for any client who has a FMOS installation in AWS or on-Prem that would like to be able to transfer backup files to an AWS S3 bucket. By the end you, will have the ability to designate the AWS transfer server URL as an SFTP target using the public/private key pair for the "fmbackup" user. Once this is setup, a script can be executed on FMOS to create the remote-sftp.sh script in postbackup.d required to setup the backup transfer.
Prerequisites
AWS S3 bucket
IAM permissions to do the following:
- Create/Edit IAM Policy
- Create IAM Role
- Create AWS Transfer Server
AWS Post Backup Preparation Script (Attached)
Procedure
Create IAM Policy
Policy > Create Policy
Select Service: S3
Add Actions:
- ListBucket
- GetBucketLocation
Resources: Specific
Click "Add ARN"
Bucket Name: <add bucket name>
Click Add/Save Changes
Click "Add additional permissions"
Select Service: S3
Add Actions:
- GetObject
- GetObjectVersion
- DeleteObject
- DeleteObjectVersion
- PutObject
Resources: Specific
Click "Add ARN"
Bucket name: <Add bucket name>
Object name: * (Any will automatically be selected)
Click Add/Save Changes
Click "Next: Tags", add tags if needed and click "Next: Review".
Name and click "Create Policy".
Create IAM Role
Click Roles
Click "Create Role"
Select AWS Service > Transfer
Click "Next: Permissions"
Search for and select the IAM Policy that was created earlier
Click "Next: Tags", add tags if needed and click "Next: Review"
Create role
Create Transfer Server
Search for "AWS Transfer Family"
Click "Create Server"
Choose Protocols: Select "SFTP"
Next
Identity provider type: "Service Managed"
Next
Endpoint type: Select Public or VPC
Next
Domain: Amazon S3
Next
Configure additional details: Add any settings that are required for your organization
Next
Review and click "Create Server"
Obtain "fmbackup" User Public Key from FMOS
Upload the attached "backup-aws.sh" to your "/home/<user>" directory of the server that holds the database role.
Run script "bash backup-aws.sh"
Enter AWS Transfer server FQDN
When the script completes it will cat the public key for the fmbackup user
Copy the public key to notepad for later use
Add "fmbackup" user to AWS Transfer Server
Click transfer server to edit
Click "Add user"
Note: Here you will need to add a user called fmbackup selecting the IAM role and policy that was created in a previous step
Choose the S3 bucket
Add the public key that was obtained via script
Save user when complete
Run "fmos backup" from FMOS command line and verify that backup file is in the S3 destination
Comments
1 comment
Hi team, is this still valid for FMOS versions 9.7+ ?
Also, is the same procedure valid when the FMOS server is also at AWS?
Thanks
Please sign in to leave a comment.