Using OSB Cloud Module with EC2 IAM

Oracle’s OSB Cloud Module allows you to backup to S3.  By default OSB Cloud Module will create buckets using generated names from your EC2 login. For example if your login is [email protected], your default buckets would be: oracle-data-myaccount-1 and oracle-log-myaccount-1.  If you already have buckets setup that you want to use and need to lock down permissions using EC2’s IAM feature, then you’ll need to do some extra work to change the bucket OSB uses and allow access. It’s clear that OSB Cloud Module wasn’t created with IAM in mind, possibly due to release dates, but there are several security and administrative reasons you may want to use it in conjunction with IAM.  Much of this configuration is undocumented but can be tracked down with a little work. This article assumes that you already have OSB Cloud Module and RMAN setup and that you are using credentials you created using IAM.  If you need to setup OSB Cloud Module some documentation on doing so is available here: http://www.oracle.com/technetwork/topics/cloud/osbws-readme-083624.html If you need to setup OSB Cloud Module on 10g, some information on doing so is available here. In order to change the bucket and lock down permissions you’ll need to use some undocumented settings.  You can find these settings by running strings on the OSB shared object:

[oracle@proddb-1 ~]$ strings /opt/oracle/product/10.2.0/db_1/lib/libosbws11.so | grep ^OSB … OSB_WS_PFILE OSB_WS_HOST OSB_WS_PROXY OSB_WS_BUCKET OSB_WS_LOCATION OSB_WS_CHUNK_SIZE OSB_WS_LICENSE_ID OSB_WS_LICENSE_MAX_SESSIONS OSB_WS_WALLET

We’ll specify our custom bucket name by setting OSB_WS_BUCKET in your osbws*.ora: OSB_WS_BUCKET=mybucket When naming your bucket, you must adhere to the S3 bucket naming policies as the OSB Cloud Module will fail on upper case letters, etc.  The S3 bucket naming polices are:

Naming Buckets and Keys

Though buckets can be named with any alpha-numeric character, following some simple naming rules will ensure that you can reference your bucket using the convention .s3.amazonaws.com.

1. Use 3 to 63 characters.
2. Use only lower case letters (at least one), numbers, ‘.’ and ‘-‘.
3. Don’t start or end the bucket name with ‘.’ and don’t follow or precede a ‘.’ with a ‘-‘.

Keys can be named with any properly encoded UTF-8 character. Literal ‘+’ characters should always be URL encoded. (http://aws.amazon.com/articles/1904) You can determine what permissions are needed by watching tcpdump and filtering requests to S3 while running the installation and backup commands.  Luckily we’ve done that work for you so here’s what you need to get things setup: Initially, you’ll need some extra permissions to run the installer. After osbws_install.jar is run, you can then remove the permissions for CreateBucket (the first statement) and the statement to access the default buckets (oracle-[data|log]–1). Change “mybucket” and “myaccount” to appropriate identifiers for your setup:

{ “Statement”: [ { “Sid”: “Stmt1319046639298”, “Action”: [ “s3:CreateBucket” ], “Effect”: “Allow”, “Resource”: [ “*” ] } ] } { “Statement”: [ { “Sid”: “Stmt1319047275324”, “Action”: [ “s3:GetObject”, “s3:GetObjectVersion” ], “Effect”: “Allow”, “Resource”: [ “*” ] } ] } { “Statement”: [ { “Action”: [ “s3:ListAllMyBuckets” ], “Effect”: “Allow”, “Resource”: “arn:aws:s3:::*” }, { “Action”: “s3:*”, “Effect”: “Allow”, “Resource”: [“arn:aws:s3:::mybucket”, “arn:aws:s3:::mybucket/*”, “arn:aws:s3:::oracle-log-myaccount-1”, “arn:aws:s3:::oracle-log-myaccount-1/*”, “arn:aws:s3:::oracle-data-myaccount-1”, “arn:aws:s3:::oracle-data-myaccount-1/*”, “arn:aws:s3:::oracle-sbt-license/*”, “arn:aws:s3:::oracle-sbt-license”] } ] }

One unexpected permission is the “oracle-sbt-license” bucket. This is not a bucket created by OSB under your account, but instead, a public bucket belonging to Oracle. Curiously, even though it’s a public bucket, the IAM user needs explicit permissions specified for it or access will fail.