The AEM backup curl command is often passed using admin credentials however for security reasons it may be undesirable to store the AEM admin user's credentials in plaintext form in a system script. To mitigate this instead a generic user can be created and be granted more specific access rights to the granite backup console. This will allow to restrict what this user has the ability to do by only having granted rights to start, stop, and view a list of backups.
Limited User account
To do this we first need to go into the AEM user manager interface and simple create a generic user to be used for backups. The name for this user is not important as long as it is identifiable to what its purpose is.
Once created the screenshot below should illustrate exactly what permissions this user should be assigned in order to be able to kickoff backup jobs.
Backup Script Changes
Since we are not granting this generic user access to the OSGI console it cannot use the
normal curl command specified in AEM Documentation (typically something like
Instead we need to post the curl command to the granite console which is very similar to
the previous command with some minor path changes. An example command would be as such
curl -u userName:Password -X POST http://localhost:4502/libs/granite/backup/content/admin/backups/?delay=10\&target=repositoryBackup.zip