- BlueXP Backup and Recovery July 2024 Release
- BlueXP Backup and Recovery Integration with AWS IAM Roles Anywhere
- What is AWS IAM Roles Anywhere?
- How Do I Configure AWS IAM Roles Anywhere
- BlueXP Backup and Recovery Integration with AWS IAM Roles Anywhere
- FlexGroup folder or directory restore now available
- How To Use the FlexGroup folder restore in preview mode
- Restore volumes less than 1 GB
- Tips on how to mitigate DataLock costs
- Try It Out!
BlueXP Backup and Recovery July 2024 Release
BlueXP Backup and Recovery Integration with AWS IAM Roles Anywhere
With the July 2024 release, BlueXP Backup and Recovery service has included support for AWS IAM Roles Anywhere service in Technology Preview mode. This applies to backing up Cloud Volumes ONTAP to AWS and backing up on-premises ONTAP data to AWS.
What is AWS IAM Roles Anywhere?
IAM Roles Anywhere enables secure interaction between your external applications and AWS APIs by leveraging IAM roles, similar to how workloads running directly on AWS utilize IAM roles. This service provides temporary credentials for your on-premises infrastructure, including servers, containers, and other compute environments. By adopting IAM Roles Anywhere, you can eliminate the need for long-term AWS access keys and secret keys. This enhances security by reducing the risk of long-term credential exposure and simplifies the operational management of these credentials, including rotation and maintenance. This document serves as a step-by-step guide to assist you in deploying IAMRA and accessing AWS S3 for ONTAP backup and recovery using BlueXP
Advantages:-
- Integration with Enterprise PKI: IAM Roles Anywhere integrates with your existing enterprise public key infrastructure (PKI) or AWS Private Certificate Authority. You can use industry-standard X.509 certificates to authenticate.
- Temporary Credentials: Your non-AWS workloads (such as servers, containers, and applications) can use the same IAM policies and roles you use within AWS. These workloads receive automatically-rotating, short-lived credentials, reducing reliance on long-term credentials.
- Anywhere Access: Whether it’s on-premises, hybrid, or multi-cloud, IAM Roles Anywhere grants secure access to AWS services and resources.
- Operational Efficiency: By eliminating the need to manage long-term credentials, you reduce operational complexity and costs.
How Do I Configure AWS IAM Roles Anywhere
Step 1: Create AWS Private Certificate Authority :
Establish a certificate authority to issue certificates for your resources.
Step 2: Create a Trust Anchor:
Generate a trust anchor (root certificate) for your certificate authority.
Step 3: Create a Role with a Trust Policy:
Configure the created role trust policies for Roles Anywhere. This allows workloads that have authenticated with Roles Anywhere Trust Anchor to assume roles.
Step 4:- Configure a Profile:
Create a profile to apply your roles to a roles session policy. The profile permissions are enforced on the role session when one or more roles are assumed by your non-AWS workload.
Step 5:- Generate Private Certificate
Generate the necessary Private Certificate (certificate.pem & private_key.pem) for your role.
Step 6:- Use the AWS Signing Helper to get session tokens
Leverage the signing helper to acquire temporary security credentials. Your external applications or compute platforms will need to request AWS to assume the IAM role. As part of this request, they will provide the necessary identity verification information, such as certificates or tokens issued by your trusted identity provider.
Step 7:- Use session credentials to get access to AWS resources
Upon successful verification of the identity, AWS will issue short-term credentials to the application. These credentials include an access key ID, a secret access key, and a session token, which the application can use to authenticate requests to AWS services.
Step 8: Manage Credential Lifecycle
The short-term credentials will have a limited lifetime, so your application or management tools will need to handle the lifecycle of these credentials. This includes monitoring credential expiration and automatically requesting new credentials as needed.
BlueXP Backup and Recovery Integration with AWS IAM Roles Anywhere
In this section, we will try to understand BlueXP backup and Recovery integration with AWS IAM Roles anywhere.
1. Set Up Trust and Roles:
- Create the trust anchor, appropriate roles for IAM Roles Anywhere, and a profile in your AWS account.
2. Deploy the BlueXP Connector:
- Install the BlueXP connector in your on-premise data center.
- Create a folder named “/root/netapp/cbs-iamra” on the connector host for IAM Roles Anywhere deployment.
3. Create Additional Folders:
- Also create a folder named “/root/.aws/credential"
>mkdir netapp
> cd netapp
>mkdir cbs-iamra
Make sure we should have directory
/root/netapp/cbs-iamra/
and make file as.
/root/.aws/credential
4. Ensure CBS Container Access:
- Edit the config.json file in the “/opt/application/netapp/service-manager-2” folder to include the necessary entry to make sure that the “/root/netapp/cbs-iamra” folder is accessible within the CBS container.
"composeOverrides": {
"cloudmanager_cbs": [
{
"property": "volumes",
"value": [
"/var/run:/var/run",
"/etc/hosts:/etc/hosts",
"/root/netapp/cbs-iamra:/opt/netapp/cbs/server/cbs-iamra",
"/tmp:/opt/netapp/shared:rshared"
]
}
]
}
5. Prepare for Certificate Issuance:
- Create an “iamra.json” file under the “/root/netapp/cbs-iamra” folder.
- Restart the BlueXP Backup and Recovery container.
> cd /root/netapp/cbs-iamra
> touch iamra.json
> docker restart cloudmanager_cbs
6. Issue a Private Certificate:
- Use the “aws acm-pca” command with the "issue-certificate" parameter to create a private certificate.
- The command will return the ARN of the issued certificate.
aws acm-pca issue-certificate \
--validity Type=DAYS,Value=10
--signing-algorithm "SHA256WITHRSA" \
--csr fileb://csr.pem \
--template-arn arn:aws:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1 \
--certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566
Response:-
{
"CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
}
Download the certificate locally using the appropriate command.
aws acm-pca get-certificate \
--certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \
--certificate-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID | \
jq -r .'Certificate' > cert.pem
Make sure that the 2 files generated are stored in the directory "/root/netapp/cbs-iamra" folder.
7.Manage Certificate Renewal
Create certificate renewal scripts to generate a new certificate and secret key just before the certificate expiration time.
8. Install aws_signing_helper
- Download and install the “aws_signing_helper” package in the “/root/netapp/cbs-iamra” folder.
- This utility obtains temporary security credentials from AWS IAM Roles Anywhere. The helper manages the process of creating a signature with the certificate and calling the endpoint to obtain session credentials; it returns the credentials to the calling process in a standard JSON format.
Install package in : /root/netapp/cbs-iamra/ and install aws_signing_helper
>wget https://rolesanywhere.amazonaws.com/releases/1.1.1/X86_64/Linux/aws_signing_helper
> sudo apt-get install unzip
> Install awscli
curl " https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
> unzip awscliv2.zip
> sudo ./aws/install
> apt-get install jq
9. Generate Access Credentials:
- Use the aws_signing_helper to generate the required access key id, secret access key , and session token
$ ./aws_signing_helper credential-process \
--certificate /path/to/certificate \
--private-key /path/to/private-key \
--trust-anchor-arn arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID \
--profile-arn arn:aws:rolesanywhere:region:account:profile/PROFILE_ID \
--role-arn arn:aws:iam::account:role/role-name-with-path
Output:-
{
"Version":1,
"AccessKeyId": String,
"SecretAccessKey": String,
"SessionToken": String,
"Expiration": Timestamp
}
--certificate(string):- Path to certificate file--endpoint(string):- The IAM Roles Anywhere endpoint for the region. For a list of endpoints, see Service endpoints and quotas.--region(string):-Signing region.--private-key(string):- Path to private key file.--profile-arn(string):- Profile to pull policies from.--role-arn(string):- Target role to assume.--trust-anchor-arn(string):- Trust anchor to to use for authentication.
10. Token Management:
- Create scripts to generate a new token before it expires.
11. Scheduled Tasks:
- Set up a cron job to execute the certificate and token generation scripts at appropriate intervals.
12. Ready to Go:
- With these steps completed, users can now use BlueXP Backup and Recovery service with IAM Roles Anywhere integration.
FlexGroup folder or directory restore now available
Previously, FlexVol volumes could be restored, but you couldn't restore FlexGroup folders or directories. With ONTAP 9.15.1 p2, you can restore FlexGroup folders using the Browse and restore option.
With this release, support for FlexGroup folder restore is a technology preview.
How To Use the FlexGroup folder restore in preview mode
The FlexGroup Directory Restore feature is disabled by default. However, it can be enabled by following the steps below
Enable the feature by setting the flag:-
- Login to the connector
- Run "sudo su"
- Run "docker volume ls | grep cbs"
- Output: local service-manager-2_cloudmanager_cbs_volume"
- The volume name would differ between dark site and cloud deployments
- Obtain the mount for the volume by executing "docker volume inspect service-manager-2_cloudmanager_cbs_volume | grep Mountpoint"
- Output: "Mountpoint": "/var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data"
- The Mount point would differ between cloud deployment and darksite/private deployment. In this example, it's a cloud deployment
- cd to the Mountpoint directory. Run "cd /var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data"
- cd to docker volume obtained in earlier steps
- cd /var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data
- Execute "cd cbs_config". cbs_config directory exists already.
- Create a config file as shown below with then name development-customer.json or production-customer.json or darksite-customer.json based on the deployment environment.
{
"feature-flags":
{
"flexgroup-volume-directory-restore" : true
}
}
The following configurations are not supported:-
- FlexGroup to Flex Volume Directory Restore
- FlexVolume to Flex Group Volume Directory Restore
- Directory Restore is not allowed from local snapshots
- Restoring directories having Luns/vdisks: FlexGroup doesn't support Luns/Vdisks today so even directory restore is also not going to support LUNs/vdisks.
- Multiple directory restores at the same time to a volume at any time
Restore volumes less than 1 GB
With this release, you can now restore volumes that you created in ONTAP that are less than 1 GB. The minimum volume size that you can create using ONTAP is 20 MB.
Tips on how to mitigate DataLock costs
The DataLock feature protects your backup files from being modified or deleted for a specified period of time. This is helpful to protect your files against ransomware attacks.
For details about DataLock and tips on how to mitigate the associated costs, refer to Backup-to-object policy settings.
Try It Out!
Now that you’ve read about this feature, we hope it entices you to go ahead try out this new preview feature .
If you would like more information, contact us [John Andathethu, Jacob (Jacob.A@netapp.com), Shweta Datha (shweta.datha@netapp.com)] and we would be happy to answer your questions.
