Rather than entering IAM user credentials into the Kots admin console, it is possible to associate your instance role with the EC2 instance directly. Below, you will find detailed steps and screenshots for your guidance.
- create a aws s3 bucket (for example: arn:aws:s3:::velero-aws-s3-test)
just make sure you have chosen
Server-side encryption with Amazon S3 managed keys (SSE-S3)
- create IAM policy (velero-aws-s3-test) to allow accessing to specific s3 bucket (velero-aws-s3-test).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:ListAccessPoints",
"s3:CreateStorageLensGroup",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:ListMultiRegionAccessPoints",
"s3:ListStorageLensGroups",
"s3:ListStorageLensConfigurations",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessGrantsInstances",
"s3:PutAccessPointPublicAccessBlock",
"s3:CreateJob",
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::velero-aws-s3-test",
"arn:aws:s3:::velero-aws-s3-test/*"
]
}
]
}
- create a IAM role velero.
You need make sure that inTrust relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
-
attach IAM policy (velero-aws-s3-test)
-
Create a EC2 instance with instance profile (velero)
-
After all, in Kots snapshot settings, you need configure velero to use
Use IAM Role.
-
Now you can take a snapshot, a success one should be like this:
