feat: Enable IAM instance profile (IAM role) when used in AWS

Dockerfile

@@ -82,6 +82,8 @@ LABEL \
 
 EXPOSE 22/tcp 80/tcp 443/tcp
 
+RUN ln -s /etc/ssl/certs/ca-certificates.crt /usr/lib/ssl/cert.pem
+
 VOLUME ["${GITLAB_DATA_DIR}", "${GITLAB_LOG_DIR}","${GITLAB_HOME}/gitlab/node_modules"]
 WORKDIR ${GITLAB_INSTALL_DIR}
 ENTRYPOINT ["/sbin/entrypoint.sh"]

README.md

@@ -1081,6 +1081,10 @@ Default AWS access key to be used for object store. Defaults to `AWS_ACCESS_KEY_
 
 Default AWS access key to be used for object store. Defaults to `AWS_SECRET_ACCESS_KEY`
 
+##### `AWS_USE_IAM_PROFILE`
+
+Set to `true` to enable IAM Instance Profile for default authencicating to AWS. Defaults to `false`. Note: If set to `true`, `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` configurations will be ignored.
+
 ##### `AWS_REGION`
 
 AWS Region. Defaults to `us-east-1`
@@ -1149,6 +1153,10 @@ AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID`
 
 AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY`
 
+##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE`
+
+Set to `true` to enable IAM Instance Profile for authencicating to AWS. Defaults to `$AWS_USE_IAM_PROFILE`. Note: If set to `true`, `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` and `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` configurations will be ignored.
+
 ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION`
 
 AWS Region. Defaults to `$AWS_REGION`
@@ -1221,6 +1229,10 @@ AWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID`
 
 AWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY`
 
+#### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE`
+
+Set to `true` to enable IAM Instance Profile for authencicating to AWS. Defaults to `$AWS_USE_IAM_PROFILE`. Note: If set to `true`, `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` and `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE` configurations will be ignored.
+
 ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION`
 
 AWS Region. Defaults to `$AWS_REGION`
@@ -1293,6 +1305,11 @@ AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID`
 
 AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY`
 
+##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE`
+
+Set to `true` to enable IAM Instance Profile for authencicating to AWS. Defaults to `$AWS_USE_IAM_PROFILE`. Note: If set to `true`, `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` and `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` configurations will be ignored.
+
+
 ##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION`
 
 AWS Region. Defaults to `$AWS_REGION`
@@ -1349,6 +1366,10 @@ AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID`
 
 AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY`
 
+##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE`
+
+Set to `true` to enable IAM Instance Profile for authencicating to AWS. Defaults to `$AWS_USE_IAM_PROFILE`. Note: If set to `true`, `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` and `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` configurations will be ignored.
+
 ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION`
 
 AWS Region. Defaults to `$AWS_REGION`
@@ -2430,11 +2451,15 @@ AWS endpoint. No defaults.
 
 ##### `AWS_BACKUP_ACCESS_KEY_ID`
 
-AWS access key id. No defaults.
+AWS access key id. No defaults. Don't configure this value if you enable `AWS_BACKUP_USE_IAM_PROFILE`.
 
 ##### `AWS_BACKUP_SECRET_ACCESS_KEY`
 
-AWS secret access key. No defaults.
+AWS secret access key. No defaults. Don't configure this value if you enable `AWS_BACKUP_USE_IAM_PROFILE`.
+
+##### `AWS_BACKUP_USE_IAM_PROFILE`
+
+Set to `true` to enable IAM Instance Profile for authencicating to AWS for backup. Defaults to `false`. Don't configure this value if you enable `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`.
 
 ##### `AWS_BACKUP_BUCKET`
 
@@ -2638,9 +2663,11 @@ By default, when automated backups are enabled, backups are held for a period of
 
 #### Amazon Web Services (AWS) Remote Backups
 
-The image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add `--env 'AWS_BACKUPS=true'` to the docker run command. In addition `AWS_BACKUP_REGION` and `AWS_BACKUP_BUCKET` must be properly configured to point to the desired AWS location. Finally an IAM user must be configured with appropriate access permission and their AWS keys exposed through `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`.
+The image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add `--env 'AWS_BACKUPS=true'` to the docker run command. In addition `AWS_BACKUP_REGION` and `AWS_BACKUP_BUCKET` must be properly configured to point to the desired AWS location. Finally, either an IAM user or IAM instance profile (IAM role) must be configured with appropriate access permission. 
+
+If you use IAM user to execute remote backup, their AWS keys exposed through `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`. Or, if you use IAM instance profile (IAM role), add `--env 'AWS_BACKUP_USE_IAM_PROFILE=true'` to the docker run command.
 
-More details about the appropriate IAM user properties can found on [doc.gitlab.com](http://doc.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage)
+More details about the appropriate properties of IAM user and IAM instance profile can found on [docs.gitlab.com](https://docs.gitlab.com/ee/administration/backup_restore/backup_gitlab.html#upload-backups-to-a-remote-cloud-storage)
 
 For remote backup to self-hosted s3 compatible storage, use `AWS_BACKUP_ENDPOINT`.
 

assets/runtime/config/gitlabhq/gitlab.yml

@@ -225,8 +225,13 @@ production: &base
       connection:
         provider: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment
         #start-artifacts-aws
+        #start-artifacts-secret-access-key-aws
         aws_access_key_id: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}}
         aws_secret_access_key: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}}
+        #end-artifacts-secret-access-key-aws
+        #start-artifacts-use-iam-profile-aws
+        use_iam_profile: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}}
+        #end-artifacts-use-iam-profile-aws
         region: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION}}
         host: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com
         aws_signature_version: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4.
@@ -271,8 +276,13 @@ production: &base
       connection:
         provider: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}}
         #start-lfs-aws
+        #start-lfs-secret-access-key-aws
         aws_access_key_id: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}}
         aws_secret_access_key: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}}
+        #end-lfs-secret-access-key-aws
+        #start-lfs-use-iam-profile-aws
+        use_iam_profile: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}}
+        #end-lfs-use-iam-profile-aws
         aws_signature_version: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4.
         region: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION}}
         host: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com
@@ -305,8 +315,13 @@ production: &base
       connection:
         provider: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}}
         #start-uploads-aws
+        #start-uploads-secret-access-key-aws
         aws_access_key_id: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}}
         aws_secret_access_key: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}}
+        #end-uploads-secret-access-key-aws
+        #start-uploads-use-iam-profile-aws
+        use_iam_profile: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}}
+        #end-uploads-use-iam-profile-aws
         aws_signature_version: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4.
         region: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION}}
         host: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com
@@ -333,8 +348,13 @@ production: &base
       connection:
         provider: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment
         #start-packages-aws
+        #start-packages-secret-access-key-aws
         aws_access_key_id: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}}
         aws_secret_access_key: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}}
+        #end-packages-secret-access-key-aws
+        #start-packages-use-iam-profile-aws
+        use_iam_profile: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}}
+        #end-packages-use-iam-profile-aws
         region: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION}}
         host: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com
         aws_signature_version: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4.
@@ -380,8 +400,13 @@ production: &base
       connection:
         provider: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}}
         #start-terraform_state-aws
+        #start-terraform_state-secret-access-key-aws
         aws_access_key_id: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}}
         aws_secret_access_key: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}}
+        #end-terraform_state-secret-access-key-aws
+        #start-terraform_state-use-iam-profile-aws
+        use_iam_profile: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}}
+        #end-terraform_state-use-iam-profile-aws
         region: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION}}
         host: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com
         endpoint: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil
@@ -1096,8 +1121,13 @@ production: &base
         region: {{AWS_BACKUP_REGION}}
         endpoint: {{AWS_BACKUP_ENDPOINT}}
         path_style: {{AWS_BACKUP_PATH_STYLE}}
+        #start-backup-secret-access-key-aws
         aws_access_key_id: {{AWS_BACKUP_ACCESS_KEY_ID}}
         aws_secret_access_key: '{{AWS_BACKUP_SECRET_ACCESS_KEY}}'
+        #end-backup-secret-access-key-aws
+        #start-backup-use-iam-profile-aws
+        use_iam_profile: {{AWS_BACKUP_USE_IAM_PROFILE}}
+        #end-backup-use-iam-profile-aws
         aws_signature_version: {{AWS_BACKUP_SIGNATURE_VERSION}}
       # The remote 'directory' to store your backups. For S3, this would be the bucket name.
       remote_directory: '{{AWS_BACKUP_BUCKET}}'

assets/runtime/env-defaults

@@ -108,6 +108,7 @@ GITLAB_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_OBJECT_STORE_CONNECTION_PROVIDE
 #-- AWS
 AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-AWS_ACCESS_KEY_ID}
 AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-AWS_SECRET_ACCESS_KEY}
+AWS_USE_IAM_PROFILE=${AWS_USE_IAM_PROFILE:-false}
 AWS_REGION=${AWS_REGION:-us-east-1}
 AWS_HOST=${AWS_HOST:-s3.amazonaws.com}
 AWS_ENDPOINT=${AWS_ENDPOINT:-nil}
@@ -134,6 +135,7 @@ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_ARTIFACTS_OBJECT_STOR
 # ARTIFACTS:AWS
 GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID}
 GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY}
+GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE:-$AWS_USE_IAM_PROFILE}
 GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION}
 GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST}
 GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT}
@@ -160,6 +162,7 @@ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_PACKAGES_OBJECT_STORE_
 # PACKAGES:AWS
 GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID}
 GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY}
+GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE:-$AWS_USE_IAM_PROFILE}
 GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION}
 GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST}
 GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT}
@@ -182,6 +185,7 @@ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_TERRAFORM_STATE
 # TERRAFORM STATE:AWS
 GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID}
 GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY}
+GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE:-$AWS_USE_IAM_PROFILE}
 GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION}
 GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST}
 GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT}
@@ -210,6 +214,7 @@ GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_LFS_OBJECT_STORE_CONNECTION
 # LFS:AWS
 GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID}
 GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY}
+GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE:-$AWS_USE_IAM_PROFILE}
 GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION}
 GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST}
 GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT}
@@ -235,6 +240,7 @@ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_UPLOADS_OBJECT_STORE_CO
 # Uploads:AWS
 GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID}
 GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY}
+GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE:-$AWS_USE_IAM_PROFILE}
 GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION}
 GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST}
 GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT}
@@ -313,6 +319,7 @@ AWS_BACKUP_ENDPOINT=${AWS_BACKUP_ENDPOINT}
 AWS_BACKUP_PATH_STYLE=${AWS_BACKUP_PATH_STYLE:-false}
 AWS_BACKUP_ACCESS_KEY_ID=${AWS_BACKUP_ACCESS_KEY_ID}
 AWS_BACKUP_SECRET_ACCESS_KEY=${AWS_BACKUP_SECRET_ACCESS_KEY}
+AWS_BACKUP_USE_IAM_PROFILE=${AWS_BACKUP_USE_IAM_PROFILE:-false}
 AWS_BACKUP_BUCKET=${AWS_BACKUP_BUCKET}
 AWS_BACKUP_MULTIPART_CHUNK_SIZE=${AWS_BACKUP_MULTIPART_CHUNK_SIZE}
 AWS_BACKUP_ENCRYPTION=${AWS_BACKUP_ENCRYPTION}