Assigning Role for AWS Backup Gateway VMWare Tags

0

I am looking for instruction on either how to modify or create an IAM role I can use to map on-prem VMWare tags in AWS Backup for AWS Backup Gateway.

I am attempting to map On-Prem VMWare tags in AWS Backup, via the AWS Backup Gateway, in the AWS Console. I am stuck on this step located at: https://docs.aws.amazon.com/aws-backup/latest/devguide/backing-up-vms.html

After adding mapping(s), specify the IAM role you intend to use to apply these AWS tags to the VMware virtual machines. The policy AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync contains needed permissions. You can attach this policy to the role you are using (or have an administrator attach it) or you can create a custom policy for the role being used.

I have the documentation recommended "AWSBackupDefaultServiceRole" role trusted to the backup service in IAM and the on-prem backups work as expected. However, when adding a VMware tag mapping, this role does not appear in the "IAM role: Specify an IAM role to apply mapped AWS tags to the VMware virtual machines." drop-down, even if I add the above policy to that role. I also added a new role, mimicking the AWSBackupDefaultServiceRole role, with that policy, and it showed up in the list, but it errored with "Customer provided role ... can't be assumed by Backup Gateway".

When creating a role, there is no "AWS Backup Gateway" service and a custom trust policy requires a JSON statement. So I'm lost.

Screenshot

已提问 1 年前462 查看次数
2 回答
1

We had the same issue while implementing the AWS Backup solution for VMware Cloud. We were using the default role "AWSBackupDefaultServiceRole" which had the same issue.

**Problem : ** Seems that the Backup Gateway is not able to assume the role

**Solution: ** We created a new role and assigned the policies as mentioned below. In the trust relationship policy we updated as below.

**Detailed steps: **

  1. Create a custom role similar to the default role "AWSBackupDefaultServiceRole"
  2. Assign the policies " AWSBackupServiceRolePolicyForBackup" , "AWSBackupServiceRolePolicyForRestrore", and "AWS BackupGatewayServiceRolePolicyForVirtualMachineMetadataSync"
  3. Update trust relationship policy as below

{
    “Version”: “2012-10-17",
    “Statement”: [
        {
            “Effect”: “Allow”,
            “Principal”: {
                “Service”: “backup-gateway.amazonaws.com”
            },
            “Action”: “sts:AssumeRole”
        }
    ]
}

This resolved our problem and we were able to progress with the implementation.

Thank you

AWS
专家
已回答 1 年前
0

Little confuse, but you can have just one KMS Key to backup both environment (OnPrem or VMC on AWS)

They have to use AWS KMS.

Virtual machine backups are always encrypted. The AWS KMS encryption key for virtual machine backups is configured in the AWS Backup vault that the virtual machine backups are stored in.

https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html

profile pictureAWS
专家
已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则