Credentials - IAM Role
Use the following values if you intend to have Velero store the backup snapshots in an AWS s3 endpoint that is configured to allow access using an IAM role.
# Velero plugin to use (since we are backing upto AWS S3 or minio, we are using AWS plugin).
initContainers:
- name: velero-plugin-for-aws
image: velero/velero-plugin-for-aws:v1.1.0
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /target
name: plugins
## Parameters for the `default` BackupStorageLocation and VolumeSnapshotLocation,
## and additional server settings.
##
configuration:
# Cloud provider being used (e.g. aws, azure, gcp).
provider: aws
# Parameters for the `default` BackupStorageLocation. See
# https://velero.io/docs/v1.0.0/api-types/backupstoragelocation/
backupStorageLocation:
# Cloud provider where backups should be stored. Usually should
# match `configuration.provider`. Required.
name: aws
# Provider for the backup storage location. If omitted
# `configuration.provider` will be used instead.
provider:
# Bucket to store backups in. Required.
bucket: velero-backups
# Prefix within bucket under which to store backups. Optional.
prefix:
# Additional provider-specific configuration. See link above
# for details of required/optional fields for your provider.
config:
region: us-east-1
# Parameters for the `default` VolumeSnapshotLocation. See
# https://velero.io/docs/v1.0.0/api-types/volumesnapshotlocation/
volumeSnapshotLocation:
# Cloud provider where volume snapshots are being taken. Usually
# should match `configuration.provider`. Required.,
name: aws
# Provider for the backup storage location. If omitted
# `configuration.provider` will be used instead.
provider:
# Additional provider-specific configuration. See link above
# for details of required/optional fields for your provider.
config:
region: us-east-1
serviceAccount:
server:
create: true
name: velero-demo
annotations:
# Info about the secret to be used by the Velero deployment, which
# should contain credentials for the cloud provider IAM account you've
# set up for Velero.
credentials:
# Whether a secret should be used as the source of IAM account
# credentials. Set to false if, for example, using kube2iam or
# kiam to provide IAM credentials for the Velero pod.
useSecret: false
# Whether to deploy the restic daemonset.
deployRestic: false
# Automatic backup of the cluster every hour
schedules:
mybackup:
schedule: "0 * * * *"
template:
ttl: "240h"
storageLocation: aws
Configure IAM Policy¶
If using IAM Roles, create an IAM policy and attach it to the worker-node-role in the cluster. This will ensure that Velero can communicate with the s3 bucket to backup resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::velero-backups/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::velero-backups"
]
}
]
}
Attach IAM Policy¶
If using IAM Roles, find the worker node role corresponding to the cluster that you need to take a backup and attach the above policy to that role.