CloudBerry Backup with AWS IAM Users for Amazon Glacier

CloudBerry Backup and CloudBerry Explorer provide users with an ability to leverage Amazon Identity and Access Management (IAM) service that allows to create multiple users for one AWS account and specify access rights for each user.
Below is a brief guide on how to:

  • Use CloudBerry Explorer to configure multiple users with limited access to Amazon Glacier account
  • Generate individual Access and Secret Keys for each user in CloudBerry Explorer
  • Сonfigure CloudBerry Backup to use AWS IAM user account.

Use CloudBerry Explorer PRO to create AWS IAM user. You can download a fully functional trial version here, it is free for 15 days.

To start you’ll need an Amazon Web Services account configured in CloudBerry Explorer. You can learn how to do that in our blog.

Having an Amazon Glacier account assigned with CloudBerry Explorer you can start creating your IAM user. Below are the steps you have to take:

Step 1. Open CloudBerry Explorer PRO, go to “Access Manager (IAM)” and click on the “Access Manager”.

1

Step 2. Select an Amazon Glacier account you are going to work with.

2

Step 3. Create an IAM user by clicking on New User... button on the toolbar:

3

Type a username and click OK:

4

Note: you can create a group and use a group policy for every new user by assigning the user to the group (use New Group... toolbar button to create a group).

Step 4. Set up permissions for the IAM user. Just click New Policy... toolbar button

5

Specify a policy name and select the IAM user from the drop-down list that you would like to set policy to.

Note: if you want to create a policy for a group, select Group in "Apply policy to" options.

To specify a policy script, click on Policy Script tab and copy-paste the following policy there:

{
"Statement": [
{
"Effect": "Allow",
"NotAction": "glacier:DeleteVault",
"Resource": "arn:aws:glacier:YOURREGION:XXXXXXXXXXXX:vaults/YOURVAULT",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "glacier:*",
"Resource": "arn:aws:glacier:YOURREGION:XXXXXXXXXXXX:vaults/YOURVAULT/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "glacier:ListVaults",
"Resource": "arn:aws:glacier:*:XXXXXXXXXXXX:vaults/*",
"Condition": {}
}
]
}

This is minimum required permissions for backup/restore using CloudBerry Backup - it grants read/write access to a certain vault to your IAM user. Note: to get ARN address (arn:aws:glacier:YOURREGION:XXXXXXXXXXXX:vaults/YOURVAULT) of your vault you can right-click on the vault being on left or right pane in CloudBerry Explorer and select Properties, then you will see Vault ARN (copy-paste it):

6

Click OK to create a policy.

Step 5. After all the steps are completed, to let this user back up with CloudBerry Backup you have to create Access and Secret Keys for it.

Creating Access Keys

1.  In IAM Manager, right click on your IAM user and select Manage Access Keys.7

2.  In the opened window click “Create” - Access Key and Secret Key for your IAM user will be generated automatically.8

3.  Сopy your credentials to clipboard or save it to a file.9

Applying IAM keys to CloudBerry Backup

1.  Open your CloudBerry Backup. In the “File” menu choose “Amazon Glacier“ account: 10

2.  Create a new account or edit existing one.11

3.  In the opened window insert previously created Access and Secret Keys and drop-down the list of vaults so that you can select the one you are granted to work with.12

4.  Now your CloudBerry Backup user will have access with configured permissions only to a specified location in your Amazon Glacier account.