AWS S3 Setup
Store RabbitMQ backups in Amazon S3 or any S3-compatible service (MinIO, Ceph RGW, DigitalOcean Spaces).
Step 1: Create an S3 Bucket
aws s3api create-bucket \
--bucket my-rabbitmq-backups \
--region us-east-1
# Enable versioning (recommended for data protection)
aws s3api put-bucket-versioning \
--bucket my-rabbitmq-backups \
--versioning-configuration Status=Enabled
Optional: Set a Lifecycle Policy
Automatically expire old backups:
aws s3api put-bucket-lifecycle-configuration \
--bucket my-rabbitmq-backups \
--lifecycle-configuration '{
"Rules": [
{
"ID": "expire-old-backups",
"Status": "Enabled",
"Filter": { "Prefix": "" },
"Expiration": { "Days": 90 },
"Transitions": [
{ "Days": 30, "StorageClass": "STANDARD_IA" },
{ "Days": 60, "StorageClass": "GLACIER" }
]
}
]
}'
Step 2: Create an IAM Policy
Create a policy with the minimum permissions rabbitmq-backup needs:
rabbitmq-backup-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RabbitMQBackupReadWrite",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-rabbitmq-backups",
"arn:aws:s3:::my-rabbitmq-backups/*"
]
}
]
}
aws iam create-policy \
--policy-name RabbitMQBackupPolicy \
--policy-document file://rabbitmq-backup-policy.json
Attach to a User or Role
For an IAM user:
aws iam attach-user-policy \
--user-name rabbitmq-backup-user \
--policy-arn arn:aws:iam::123456789012:policy/RabbitMQBackupPolicy
For an IAM role (EKS IRSA, EC2 instance profile):
aws iam attach-role-policy \
--role-name rabbitmq-backup-role \
--policy-arn arn:aws:iam::123456789012:policy/RabbitMQBackupPolicy
Step 3: Configure rabbitmq-backup
Using Static Credentials
backup-s3.yaml
mode: backup
backup_id: "prod-backup-001"
source:
amqp_url: "amqp://backup_user:password@rabbitmq.example.com:5672/%2f"
management_url: "http://rabbitmq.example.com:15672"
management_username: backup_user
management_password: password
storage:
backend: s3
bucket: my-rabbitmq-backups
region: us-east-1
access_key: AKIAIOSFODNN7EXAMPLE
secret_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
prefix: prod/
backup:
compression: zstd
compression_level: 3
include_definitions: true
Using Environment Variables (Recommended)
Omit access_key and secret_key from the config file and set them via environment variables:
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
rabbitmq-backup backup --config backup-s3.yaml
Using IAM Roles (EC2 / EKS)
When running on EC2 with an instance profile or on EKS with IRSA, omit credentials entirely. The AWS SDK credential chain detects them automatically:
backup-s3-iam.yaml
storage:
backend: s3
bucket: my-rabbitmq-backups
region: us-east-1
prefix: prod/
S3-Compatible Services (MinIO)
For MinIO or other S3-compatible services, set endpoint, path_style, and allow_http:
backup-minio.yaml
storage:
backend: s3
bucket: rabbitmq-backups
region: us-east-1
endpoint: http://minio.example.com:9000
access_key: minioadmin
secret_key: minioadmin
prefix: cluster-prod/
path_style: true
allow_http: true
S3 Configuration Reference
| Field | Required | Default | Description |
|---|---|---|---|
backend | Yes | -- | Must be s3 |
bucket | Yes | -- | S3 bucket name |
region | No | Auto-detected | AWS region |
endpoint | No | AWS default | Custom endpoint URL for S3-compatible services |
access_key | No | AWS_ACCESS_KEY_ID env | Access key ID |
secret_key | No | AWS_SECRET_ACCESS_KEY env | Secret access key |
prefix | No | None | Key prefix for all objects |
path_style | No | false | Use path-style requests (required for MinIO) |
allow_http | No | false | Allow insecure HTTP connections |
Verify the Setup
Run a test backup and list the results:
rabbitmq-backup backup --config backup-s3.yaml
rabbitmq-backup list --path s3://my-rabbitmq-backups
Check the S3 bucket:
aws s3 ls s3://my-rabbitmq-backups/prod/ --recursive