Creating an AWS Key Pair
If you want to use AWS with Arq, The easiest way to get started is to create a “root” key pair.
- Go to the AWS Console and log in.
- Click on your name at the top right and click “My Security Credentials” in the drop-down menu.
- Click the triangle next to “Access Keys” to expand it.
- Click “Create New Access Key”. Then click “Show Access Key” in the pop-up window to see the key pair you just created.
- Use that key pair when adding a storage location in Arq.
AWS IAM
If you want to avoid using a “root” key pair, create an IAM user.
Here’s an example policy for an S3 bucket named “myarqbucket”:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::myarqbucket",
"arn:aws:s3:::myarqbucket/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
If your backup set includes backup records created by Arq 3 and stored in Glacier “vaults”, you’ll also need permission to access the Glacier data and create SQS queues and SNS notifications, like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::myarqbucket",
"arn:aws:s3:::myarqbucket/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"glacier:ListTagsForVault",
"glacier:ListJobs",
"glacier:InitiateJob",
"glacier:GetJobOutput",
"glacier:DescribeVault",
"glacier:DescribeJob"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sns:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "*"
}
]
}