Assigning Role for AWS Backup Gateway VMWare Tags


I am looking for instruction on either how to modify or create an IAM role I can use to map on-prem VMWare tags in AWS Backup for AWS Backup Gateway.

I am attempting to map On-Prem VMWare tags in AWS Backup, via the AWS Backup Gateway, in the AWS Console. I am stuck on this step located at:

After adding mapping(s), specify the IAM role you intend to use to apply these AWS tags to the VMware virtual machines. The policy AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync contains needed permissions. You can attach this policy to the role you are using (or have an administrator attach it) or you can create a custom policy for the role being used.

I have the documentation recommended "AWSBackupDefaultServiceRole" role trusted to the backup service in IAM and the on-prem backups work as expected. However, when adding a VMware tag mapping, this role does not appear in the "IAM role: Specify an IAM role to apply mapped AWS tags to the VMware virtual machines." drop-down, even if I add the above policy to that role. I also added a new role, mimicking the AWSBackupDefaultServiceRole role, with that policy, and it showed up in the list, but it errored with "Customer provided role ... can't be assumed by Backup Gateway".

When creating a role, there is no "AWS Backup Gateway" service and a custom trust policy requires a JSON statement. So I'm lost.


질문됨 일 년 전463회 조회
2개 답변

We had the same issue while implementing the AWS Backup solution for VMware Cloud. We were using the default role "AWSBackupDefaultServiceRole" which had the same issue.

**Problem : ** Seems that the Backup Gateway is not able to assume the role

**Solution: ** We created a new role and assigned the policies as mentioned below. In the trust relationship policy we updated as below.

**Detailed steps: **

  1. Create a custom role similar to the default role "AWSBackupDefaultServiceRole"
  2. Assign the policies " AWSBackupServiceRolePolicyForBackup" , "AWSBackupServiceRolePolicyForRestrore", and "AWS BackupGatewayServiceRolePolicyForVirtualMachineMetadataSync"
  3. Update trust relationship policy as below

    “Version”: “2012-10-17",
    “Statement”: [
            “Effect”: “Allow”,
            “Principal”: {
                “Service”: “”
            “Action”: “sts:AssumeRole”

This resolved our problem and we were able to progress with the implementation.

Thank you

답변함 일 년 전

Little confuse, but you can have just one KMS Key to backup both environment (OnPrem or VMC on AWS)

They have to use AWS KMS.

Virtual machine backups are always encrypted. The AWS KMS encryption key for virtual machine backups is configured in the AWS Backup vault that the virtual machine backups are stored in.

profile pictureAWS
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인