Node and Service Backups

Kaleido nodes can be configured with a backup configuration, offering an on demand gateway for exporting node data into a customer’s S3 bucket. Backups not only provide an added persistence layer for the ledger, but also allow customers to access the otherwise unsurfaced signing keys and chain data and take full possession of their node contents.

Backup by associating S3 bucket with a node/service

Configuring an S3 Bucket

  • Log into the AWS console and navigate to the S3 Service in the Storage category.
  • Provide a compliant DNS name for your bucket and follow the pop up instructions for further configuration and permissions. Kaleido does not enforce restrictions on the bucket configuration (e.g. object encryption). Review your configurations and click Create bucket to provision the storage resource.
  • Next, navigate to your IAM service and provision a custom S3 policy for one of your IAM users.
  • In the lefthand navigation panel select Policies and click Create policy at the top of the screen
  • Choose S3 as the Service and enable write access in its entirety. This can be done by simply clicking the box next to Write.
  • Create a name for the policy and review it, ensuring that you have provided full write access. Click Create policy to finish.
  • Next, click the Users tab in the navigation panel to attach the newly created custom policy to an existing user.
  • Click the Add Permissions button and select the Attach existing policies directly option
  • Enter you custom policy name into the search bar and select it. Click Next: Review to finalize the user permissions and enable the custom policy against your selected user.

Provide this S3 bucket configuration when creating a node/service in Kaleido using the UI/API. Once a node/service is associated with a target S3 bucket, backup operation can be triggered on demand. For every backup request, Kaleido uploads a tar zipped file of the node/service's contents to the S3 bucket

Backup using Pre-signed URL

Alternatively, you can generate a one-time Pre-signed URL for a file in a S3 bucket and provide that as the target for the upload of the backup. If you choose to use this mechanism to trigger a backup, the node/service need not be pre-configured with a S3 backup destination. This feature is only available via the API at this time. Below is a js code snippet that uses the aws-sdk nodejs package that you may use to generate a Pre-signed URL for your S3 bucket

'use strict';

const AWS = require('aws-sdk');
const Axios = require('axios');

const s3 = new AWS.S3({
  apiVersion: '2006-03-01',
  sslEnabled: true,
  accessKeyId: '<your S3 bucket access key>',
  secretAccessKey: '<your S3 bucket secret>',
  region: '<region>'
});

async function createURL(params) {
  var params = {
    Bucket: '<bucket name>',
    Key: '<file name for backup>'
  };
  let url = await s3.getSignedUrl('putObject', params);
  return url;
}

createURL()
  .then(async (url) => {
    console.log(`URL: ${url}`);
    return url;
  })
  .catch(err => {
    console.error(`Presigning request encountered an error ${err}`);
    process.exit(1);
  });

Use the generated URL as presigned_url request body field in the API request:

{
    "presigned_url": "https://test-bucket-1.s3.us-east-2.amazonaws.com/zzver79ou5-zzvt0b0ylf-quorum.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AZIAJNQZWSKAX2VQHMMA%2F20191003%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20191003T161903Z&X-Amz-Expires=900&X-Amz-Signature=cf0f8ecfc701c921b6d324007006d43977b6a67ef0911bdefa8529a78a3683ce&X-Amz-SignedHeaders=host"
}