Jump to content

Setting up AWS S3 for Canasta backups

From notes

This guide walks through setting up an AWS S3 bucket and IAM user for Canasta backups using Restic.

Create an S3 bucket

  1. Go to S3 Console → Create bucket
  2. Enter a bucket name (e.g., canasta-backups-yoursite)
  3. Select your preferred AWS Region
  4. Leave "Block all public access" enabled (default)
  5. Leave all other settings as default
  6. Click Create bucket

Enable versioning (recommended)

Versioning provides an extra safety net against accidental deletion:

  1. Click into your new bucket
  2. Go to the Properties tab
  3. Under Bucket Versioning, click Edit
  4. Select Enable and save

Create an IAM user with scoped permissions

Rather than using AmazonS3FullAccess, create a user with access limited to only the backup bucket.

Create the user

  1. Go to IAM Console → Users → Create user
  2. Enter a username (e.g., canasta-backup)
  3. Do not enable console access — this user only needs API access
  4. Click Next, then Create user (skip attaching policies for now)

Attach a scoped inline policy

  1. Click into the new user
  2. Go to the Permissions tab
  3. Click Add permissions → Create inline policy
  4. Switch to the JSON tab
  5. Paste the following policy, replacing YOUR-BUCKET-NAME with your actual bucket name:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET-NAME",
                "arn:aws:s3:::YOUR-BUCKET-NAME/*"
            ]
        }
    ]
}
Permission Purpose
s3:GetObject Read backup snapshots during restore
s3:PutObject Write new backup snapshots
s3:DeleteObject Prune old backups (canasta backup purge)
s3:ListBucket List snapshots (canasta backup list)
s3:GetBucketLocation Required by Restic to locate the bucket
  1. Name the policy (e.g., canasta-backup-s3)
  2. Click Create policy

Create an access key

  1. Go to the Security credentials tab on the user page
  2. Click Create access key
  3. Choose Application running outside AWS
  4. Click Create access key
  5. Save both values — the Secret Access Key is only shown once:
    • Access Key ID (e.g., AKIA...)
    • Secret Access Key

Configure Canasta

Add the following to your Canasta installation's .env file: 

# Restic backup configuration
RESTIC_REPOSITORY=s3:s3.REGION.amazonaws.com/YOUR-BUCKET-NAME
RESTIC_PASSWORD=your-restic-encryption-password

# AWS credentials
AWS_ACCESS_KEY_ID=your-access-key-id
AWS_SECRET_ACCESS_KEY=your-secret-access-key

Replace:

  • REGION with your bucket's AWS region (e.g., us-east-1)
  • YOUR-BUCKET-NAME with your bucket name
  • RESTIC_PASSWORD with a strong password of your choice — this encrypts the backup data (save this password securely; without it, backups cannot be restored)

Initialize the backup repository

canasta backup init -i your-instance-id

Create a backup

canasta backup create -i your-instance-id -t my-first-backup

Verify

canasta backup list -i your-instance-id

Gitops considerations

If you are using canasta gitops, the backup credentials (RESTIC_*, AWS_*) are automatically detected as secrets and stored as encrypted placeholders in env.template. You do not need to add them to gitops/custom-secret-keys.

See GitOps guide for details.

Retrieved from "https://notes.amethyst-ck.com/w/index.php?title=Setting_up_AWS_S3_for_Canasta_backups&oldid=64"