Assigning Role for AWS Backup Gateway VMWare Tags


I am looking for instruction on either how to modify or create an IAM role I can use to map on-prem VMWare tags in AWS Backup for AWS Backup Gateway.

I am attempting to map On-Prem VMWare tags in AWS Backup, via the AWS Backup Gateway, in the AWS Console. I am stuck on this step located at:

After adding mapping(s), specify the IAM role you intend to use to apply these AWS tags to the VMware virtual machines. The policy AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync contains needed permissions. You can attach this policy to the role you are using (or have an administrator attach it) or you can create a custom policy for the role being used.

I have the documentation recommended "AWSBackupDefaultServiceRole" role trusted to the backup service in IAM and the on-prem backups work as expected. However, when adding a VMware tag mapping, this role does not appear in the "IAM role: Specify an IAM role to apply mapped AWS tags to the VMware virtual machines." drop-down, even if I add the above policy to that role. I also added a new role, mimicking the AWSBackupDefaultServiceRole role, with that policy, and it showed up in the list, but it errored with "Customer provided role ... can't be assumed by Backup Gateway".

When creating a role, there is no "AWS Backup Gateway" service and a custom trust policy requires a JSON statement. So I'm lost.


posta un anno fa462 visualizzazioni
2 Risposte

We had the same issue while implementing the AWS Backup solution for VMware Cloud. We were using the default role "AWSBackupDefaultServiceRole" which had the same issue.

**Problem : ** Seems that the Backup Gateway is not able to assume the role

**Solution: ** We created a new role and assigned the policies as mentioned below. In the trust relationship policy we updated as below.

**Detailed steps: **

  1. Create a custom role similar to the default role "AWSBackupDefaultServiceRole"
  2. Assign the policies " AWSBackupServiceRolePolicyForBackup" , "AWSBackupServiceRolePolicyForRestrore", and "AWS BackupGatewayServiceRolePolicyForVirtualMachineMetadataSync"
  3. Update trust relationship policy as below

    “Version”: “2012-10-17",
    “Statement”: [
            “Effect”: “Allow”,
            “Principal”: {
                “Service”: “”
            “Action”: “sts:AssumeRole”

This resolved our problem and we were able to progress with the implementation.

Thank you

con risposta un anno fa

Little confuse, but you can have just one KMS Key to backup both environment (OnPrem or VMC on AWS)

They have to use AWS KMS.

Virtual machine backups are always encrypted. The AWS KMS encryption key for virtual machine backups is configured in the AWS Backup vault that the virtual machine backups are stored in.

profile pictureAWS
con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande