Amazon EC2 EBS automatic backup one-liner works manually but not from cron

Question

I am trying to implement an automatic backup system for my EBS on Amazon AWS.

When I run this command as ec2-user:

/opt/aws/bin/ec2-create-snapshot --region us-east-1 -K /home/ec2-user/pk.pem -C /home/ec2-user/cert.pem -d "vol-******** snapshot" vol-********

everything works fine.

But if I add this line into /etc/crontab and restart the crond service:

15 12 * * * ec2-user /opt/aws/bin/ec2-create-snapshot --region us-east-1 -K /home/ec2-user/pk.pem -C /home/ec2-user/cert.pem -d "vol-******** snapshot" vol-********

that doesn't work.

I checked var/log/cron and there is this line, therefore the command gets executed:

Dec 13 12:15:01 ip-10-204-111-94 CROND[4201]: (ec2-user) CMD (/opt/aws/bin/ec2-create-snapshot --region us-east-1 -K /home/ec2-user/pk.pem -C /home/ec2-user/cert.pem -d "vol-******** snapshot" vol-******** )

Can you please help me to troubleshoot the problem?

I guess is some environment problem - maybe the lack of some variable. If that's the case I don't know what to do about it.

Thanks.

Answer 1

You should consider taking advantage of AWS's new IAM Roles functionality. Essentially what you do is create a new role in the IAM control panel and then assign it rights to create snapshots. The policy you would need to attach to the role would look something like this:

{
  "Statement": [
    {
      "Sid": "Stmt1355446824880",
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:DescribeSnapshots",
        "ec2:DescribeVolumes"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Then when you create your instance, you define the IAM role in the launch configuration (it's under "advanced settings"). The effect is that your instance now automatically has permission to create snapshots and you don't have to worry about storing the access keys or other credentials anywhere on the instance. It will work via cron without issue.