Using AWS Glacier to store WORM archives

Part 1 — AWS user account

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glacier:UploadArchive",
"glacier:InitiateMultipartUpload",
"glacier:UploadMultipartPart",
"glacier:UploadPart",
"glacier:DeleteArchive",
"glacier:ListParts",
"glacier:InitiateJob",
"glacier:ListJobs",
"glacier:GetJobOutput",
"glacier:ListMultipartUploads",
"glacier:CompleteMultipartUpload"
],
"Resource": "*"
}
]
}

Part 2 — AWS CLI

pip install awscli
aws configure

[default]
output = json
region = us-east-1 (or whatever your region is)

[default]
aws_access_key_id = <paste your access key ID>
aws_secret_access_key = <paste your secret access key>
aws glacier create-vault --account-id - --vault-name testVault{
"location": "/304750392399/vaults/testVault"
}
aws glacier list-vaults --account-id -
{
"VaultList": [
{
"SizeInBytes": 0,
"VaultARN": "arn:aws:glacier:us-east-1:304750392399:vaults/testVault",
"CreationDate": "2019-01-23T15:59:35.770Z",
"VaultName": "testVault",
"NumberOfArchives": 0
}
]
}
dd if=/dev/urandom of=largefile.tar bs=3145728 count=1
aws glacier upload-archive --account-id - --vault-name testVault --body largefile.tar{
"archiveId": "8OCPGq88Cf8yQpwEW-b-xU7zzeKhGt__p_Hz24q8AscQ812MdnSeno0YEylrb7Z1zrv_KmIHPob8YYag2Qwsv2uTmSA1U3csrnXozkIJ6-7f3uvhbkaoaQxxOp9p3k5VF2eDpWlaGQ",
"checksum": "e9ae8110ac0209b7d1580823e4c1fb065d479afff9a42a4893acf04aaf644e0d",
"location": "/304750392399/vaults/testVault/archives/8OCPGq88Cf8yQpwEW-b-xU7zzeKhGt__p_Hz24q8AscQ812MdnSeno0YEylrb7Z1zrv_KmIHPob8YYag2Qwsv2uTmSA1U3csrnXozkIJ6-7f3uvhbkaoaQxxOp9p3k5VF2eDpWlaGQ"
}

Deleting all archives from a vault

aws glacier initiate-job --job-parameters '{"Type": "inventory-retrieval"}' --vault-name testVault --account-id -{
"location": "/304750392399/vaults/testVault/jobs/tij3UuulOUdqQMEO5meFNz2nYw5_txSPvO33V8IKPcYA8xCLmXZnZAMgoVnB6vOgtHOSFJ_iYSbuieig_sYpINFsfaf_",
"jobId": "tij3UuulOUdqQMEO5meFNz2nYw5_txSPvO33V8IKPcYA8xCLmXZnZAMgoVnB6vOgtHOSFJ_iYSbuieig_sYpINFsfaf_"
}
aws glacier list-jobs --vault-name testVault --account-id -{
"JobList": [
{
"InventoryRetrievalParameters": {
"Format": "JSON"
},
"VaultARN": "arn:aws:glacier:us-east-1:12345555666:vaults/testVault",
"Completed": false,
"JobId": "tij3UuulOUdqQMEO5meFNz2nYw5_txSPvO33V8IKPcYA8xCLmXZnZAMgoVnB6vOgtHOSFJ_iYSbuieig_sYpINFsfaf_",
"Action": "InventoryRetrieval",
"CreationDate": "2019-01-24T15:34:31.513Z",
"StatusCode": "InProgress"
}
]
}
$ aws glacier get-job-output --account-id - --job-id YOUR_JOB_ID --vault-name testVault output.json
{
"VaultARN": "arn:aws:glacier:us-east-1:12344455566:vaults/testVault",
"InventoryDate": "2019-01-24T03:15:06Z",
"ArchiveList": [
{
"ArchiveId": "8OCPGq88Cf8yQpwEW-b-xU7zzeKhGt__p_Hz24q8AscQ812MdnSeno0YEylrb7Z1zrv_KmIHPob8YYag2Qwsv2uTmSA1U3csrnXozkIJ6-7f3uvhbkaoaQxxOp9p3k5VF2eDpWlaGQ",
"ArchiveDescription": "",
"CreationDate": "2019-01-23T16:12:49Z",
"Size": 3145728,
"SHA256TreeHash": "e9ae8110ac0209b7d1580823e4c1fb065d479afff9a42a4893acf04aaf644e0d"
}
]
}
for each archive you want to delete
aws glacier delete-archive --archive-id=<archive ID> --vault-name testVault --account-id -

Part 3 — Locking the Vault

{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "deny-based-on-archive-age",
"Principal": "*",
"Effect": "Deny",
"Action": "glacier:DeleteArchive",
"Resource": [
"arn:aws:glacier:us-east-1:123453344:vaults/testVault"
],
"Condition": {
"NumericLessThan" : {
"glacier:ArchiveAgeInDays" : "365"
}
}
}
]
}
click Complete Vault Lock to finalize locking your vault

Part 5 - Retrieve archive from Vault

aws glacier initiate-job --account-id - --vault-name testVault--job-parameters '{“Type”: “archive-retrieval”, “ArchiveId”: “<ARCHIVE ID>”}'
aws glacier list-jobs --vault-name testVault --account-id -

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store