Workbench backup and restore prerequisites
To backup and restore workbenches, check that the following prerequisites are satisfied.
AWS backup service opt-in
Login to your AWS account and navigate to the AWS Backup Service console. Make sure the AWS region matches the region where you have your Cloudera AI Workbench. Click on Settings in the navigation pane, and in the Service opt-in table, ensure that EBS and EFS services are enabled for protection by the AWS Backup service, as shown here.
For additional information about this feature, see July 2022: Cloudera Customer Advisory: The new feature Cloudera AI Backup and Restore on AWS requires changes to IAM permissions in their cross account roles (requires login).
AWS Cloudera Data Platform cross-account role permissions
- Install the Backup IAM Policy. On the AWS console, navigate to the IAM service and click on Click here to download the file)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "backup:*", "Resource": "*" }, { "Effect": "Allow", "Action": "backup-storage:*", "Resource": "*" }, { "Action": [ "elasticfilesystem:DescribeFilesystems", "elasticfilesystem:Backup", "elasticfilesystem:DescribeTags" ], "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*", "Effect": "Allow" }, { "Action": [ "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:describeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribePlacementGroups", "ec2:DescribeInstances", "ec2:DescribeTags" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource": "arn:aws:ec2:*::snapshot/*" }, { "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot", "ec2:CreateSnapshot" ], "Resource": [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Action": [ "ec2:DeleteSnapshot" ], "Effect": "Allow", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "backup.amazonaws.com" ] } } }, { "Action": [ "tag:GetTagKeys", "tag:GetTagValues", "tag:GetResources" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:ListRoles", "iam:GetRole" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/*" ], "Condition": { "StringLike": { "iam:PassedToService": "backup.amazonaws.com" } } }, { "Action": [ "kms:ListKeys", "kms:DescribeKey", "kms:GenerateDataKey", "kms:ListAliases" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "kms:CreateGrant" ], "Effect": "Allow", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:backup:backup-vault" }, "Bool": { "kms:GrantIsForAWSResource": true }, "StringLike": { "kms:ViaService": "backup.*.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "backup.amazonaws.com" } } } ] }
Save this policy as cml-backup-policy.
. Click on the JSON tab, and replace the default text with the contents of the
following JSON file. ( - Install the Restore Policy. On the AWS console, navigate to the IAM service and click on Click here to download the file)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:DeleteVolume" ], "Resource": [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*::snapshot/*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeSnapshots", "ec2:DescribeVolumes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:Restore", "elasticfilesystem:CreateFilesystem", "elasticfilesystem:DescribeFilesystems", "elasticfilesystem:DeleteFilesystem", "elasticfilesystem:TagResource" ], "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*" }, { "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com", "elasticfilesystem.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] }
Save this as cml-restore-policy.
. Click on the JSON tab, and replace the default text with the
contents of the following JSON file. ( - Set up the Trust Relationship. AWS Backup service needs to be able to assume the AWS
cross-account role that is used by the Cloudera Data Platform control plane to manage AWS cloud resources. To
enable this, add the following trust relationship to your AWS cross-account role’s Trust
relationships (navigate to the IAM service console, then find your cross-account role by
clicking on Roles).
{ "Effect": "Allow", "Principal": { "Service": "backup.amazonaws.com" }, "Action": "sts:AssumeRole" }
- Attach the Backup and Restore policies to the Cross-Account Role. While still on the
configuration page of your cross-account role in the IAM console, click on the
Permissions tab. Click Attach policies to attach
the
cml-backup-policy
andcml-restore-policy
policies created above. This step ensures that the AWS Backup service will have the necessary permissions to call the EBS and EFS services on behalf of the cross-account role to manage backups.