引言
在尝试从Step Functions执行AWS Backup的按需备份时,我在权限方面遇到了一些困难。为了备忘,我将这些经验写成这篇文章。
概述
从Step Functions执行AWS Backup时,需要分配以下权限:
AWS Backup相关权限
- 执行备份的权限
Step Functions相关权限
- 将上述角色传递给其他服务的权限
- 对保存目标的BackupVault执行StartBackupJob的权限
下面将包含一个使用Step Functions执行按需备份的CloudFormation代码示例。
参考
AWS Backup 和 AWS CloudFormation
CloudFormation代码
作为最简单的构成,我们将创建以下资源:
- BackupVault
- 备份用Role
- Step Functions用Role
- 执行按需备份的StateMachine
以下是CloudFormation代码,在执行时需要指定目标EC2实例的ARN作为参数。
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
Ec2Arn:
Type: String
Default: tokyo-endpoint
Resources:
MyBackupVault:
Type: AWS::Backup::BackupVault
Properties:
BackupVaultName: 'for-stepfunctions'
MyBackupRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- backup.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
# - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
SMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- states.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
# - PolicyName: allowSsm
# PolicyDocument:
# Version: "2012-10-17"
# Statement:
# - Effect: Allow
# Action:
# - ssm:SendCommand
# Resource: '*'
- PolicyName: allowBackupJob
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- backup:StartBackupJob
Resource:
# - !Sub arn:aws:backup:${AWS::Region}:${AWS::AccountId}:backup-vault:*
- !GetAtt MyBackupVault.BackupVaultArn
- Effect: Allow
Action:
- iam:PassRole
Resource:
- !GetAtt MyBackupRole.Arn
executeEc2BackupStateMachine:
Type: AWS::StepFunctions::StateMachine
Properties:
RoleArn: !GetAtt SMRole.Arn
Definition:
StartAt: StartBackupJob
States:
StartBackupJob:
Type: Task
Resource: arn:aws:states:::aws-sdk:backup:startBackupJob
Parameters:
BackupVaultName: !Ref MyBackupVault
IamRoleArn: !GetAtt MyBackupRole.Arn
ResourceArn: !Ref Ec2Arn
End: true
以下是将要创建的StateMachine的示例。
由于包含了一些额外的注释,因此我们将对每个资源进行简要说明。
备份用角色
MyBackupRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- backup.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
# - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
- 以下内容在
allowBackupJob中解决- 发送先前创建的备份角色的权限
- StartBackupJob对BackupVault的权限,在代码开头创建
- 如果您想将其用于任何 BackupVault,请使用注释掉的那个。
- 注释掉的
allowSsm是允许Systems Manager的SendCommand- 我假设您想“在备份之前和之后运行脚本来停止/启动服务”
状态
Step Functions 中定义的用于执行按需备份的单一状态如下。
States:
StartBackupJob:
Type: Task
Resource: arn:aws:states:::aws-sdk:backup:startBackupJob
Parameters:
BackupVaultName: !Ref MyBackupVault
IamRoleArn: !GetAtt MyBackupRole.Arn
ResourceArn: !Ref Ec2Arn
End: true
backup:startBackupJob的参数如下。
https://docs.aws.amazon.com/aws-backup/latest/devguide/API_StartBackupJob.html
https://docs.aws.amazon.com/aws-backup/latest/devguide/API_StartBackupJob.html
结语
这次我们以从Step Functions使用AWS Backup为例,讨论了相关的权限问题。AWS Backup也可以通过其调度功能进行备份,但如果需要在备份前后进行其他处理,可以参考本文使用Step Functions的方法。希望这篇文章能对您有所帮助。
![【2024最新华为OD-C/D卷试题汇总】[支持在线评测] 免单统计(100分) - 三语言AC题解(Python/Java/Cpp)](https://i-blog.csdnimg.cn/direct/67c978cd9445423f992753a2e96964fd.png)
