Assigning Role for AWS Backup Gateway VMWare Tags


I am looking for instruction on either how to modify or create an IAM role I can use to map on-prem VMWare tags in AWS Backup for AWS Backup Gateway.

I am attempting to map On-Prem VMWare tags in AWS Backup, via the AWS Backup Gateway, in the AWS Console. I am stuck on this step located at:

After adding mapping(s), specify the IAM role you intend to use to apply these AWS tags to the VMware virtual machines. The policy AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync contains needed permissions. You can attach this policy to the role you are using (or have an administrator attach it) or you can create a custom policy for the role being used.

I have the documentation recommended "AWSBackupDefaultServiceRole" role trusted to the backup service in IAM and the on-prem backups work as expected. However, when adding a VMware tag mapping, this role does not appear in the "IAM role: Specify an IAM role to apply mapped AWS tags to the VMware virtual machines." drop-down, even if I add the above policy to that role. I also added a new role, mimicking the AWSBackupDefaultServiceRole role, with that policy, and it showed up in the list, but it errored with "Customer provided role ... can't be assumed by Backup Gateway".

When creating a role, there is no "AWS Backup Gateway" service and a custom trust policy requires a JSON statement. So I'm lost.


preguntada hace un año469 visualizaciones
2 Respuestas

We had the same issue while implementing the AWS Backup solution for VMware Cloud. We were using the default role "AWSBackupDefaultServiceRole" which had the same issue.

**Problem : ** Seems that the Backup Gateway is not able to assume the role

**Solution: ** We created a new role and assigned the policies as mentioned below. In the trust relationship policy we updated as below.

**Detailed steps: **

  1. Create a custom role similar to the default role "AWSBackupDefaultServiceRole"
  2. Assign the policies " AWSBackupServiceRolePolicyForBackup" , "AWSBackupServiceRolePolicyForRestrore", and "AWS BackupGatewayServiceRolePolicyForVirtualMachineMetadataSync"
  3. Update trust relationship policy as below

    “Version”: “2012-10-17",
    “Statement”: [
            “Effect”: “Allow”,
            “Principal”: {
                “Service”: “”
            “Action”: “sts:AssumeRole”

This resolved our problem and we were able to progress with the implementation.

Thank you

respondido hace un año
  • This worked for me! What a life saver. Thank you.


Little confuse, but you can have just one KMS Key to backup both environment (OnPrem or VMC on AWS)

They have to use AWS KMS.

Virtual machine backups are always encrypted. The AWS KMS encryption key for virtual machine backups is configured in the AWS Backup vault that the virtual machine backups are stored in.

profile pictureAWS
respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante