[Duplicity-talk] Duplicity with S3 and IAM

[Miguel Jacq]

Hi all,

I'm currently experimenting with Amazon's IAM (Identity and Access
Management) [1], which is designed to allow 'sub users' with their own
AWS ID and secret key to access your AWS by way of granting them
privileges in the form of 'policies' to certain resources (such as
S3).

The benefit of this being that given Duplicity is a 'push' service,
you could potentially put scripts on your clients' machines without
having to expose to them your secret AWS API credentials because
they'd have their own. (as a side-note: does anyone handle this
problem in another way? based on the assumption that the client has
full root access to their VPS and thus setting restrictive permissions
on the script won't help)


I have successfully created users with policies which in IAM are in
JSON format like so:

{
   "Statement":[{
      "Effect":"Allow",
      "Action":["s3:*"],
      "Resource":"arn:aws:s3:::mybucket/john_doe/*"
   }
   ]
}

I can successfully sync duplicity archives to S3 using a 'john doe'
user's ID and key.

My problem is if I re-run the duplicity command, expecting an
incremental backup, I get this:

Deleting local 
/root/.cache/duplicity/b38e2931dd3307df85d9ed3c141cfce1/duplicity-full.20101202T003941Z.manifest
(not authoritative at backend).
NOTICE:duplicity:Deleting local
/root/.cache/duplicity/b38e2931dd3307df85d9ed3c141cfce1/duplicity-full.20101202T003941Z.manifest
(not authoritative at backend).

The result being it forces a new full backup which is not ideal.

It seems like a permissions problem, but as you can see in my Action
above, I am granting basically any S3 privilege to this user within
the certain folder of a bucket.

Has anyone else played with IAM + S3 with Duplicity and have you
figured out the appropriate policy?


Cheers,

Miguel

[1] http://aws.amazon.com/iam