By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Assigning Role for AWS Backup Gateway VMWare Tags

0

I am looking for instruction on either how to modify or create an IAM role I can use to map on-prem VMWare tags in AWS Backup for AWS Backup Gateway.

I am attempting to map On-Prem VMWare tags in AWS Backup, via the AWS Backup Gateway, in the AWS Console. I am stuck on this step located at: https://docs.aws.amazon.com/aws-backup/latest/devguide/backing-up-vms.html

After adding mapping(s), specify the IAM role you intend to use to apply these AWS tags to the VMware virtual machines. The policy AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync contains needed permissions. You can attach this policy to the role you are using (or have an administrator attach it) or you can create a custom policy for the role being used.

I have the documentation recommended "AWSBackupDefaultServiceRole" role trusted to the backup service in IAM and the on-prem backups work as expected. However, when adding a VMware tag mapping, this role does not appear in the "IAM role: Specify an IAM role to apply mapped AWS tags to the VMware virtual machines." drop-down, even if I add the above policy to that role. I also added a new role, mimicking the AWSBackupDefaultServiceRole role, with that policy, and it showed up in the list, but it errored with "Customer provided role ... can't be assumed by Backup Gateway".

When creating a role, there is no "AWS Backup Gateway" service and a custom trust policy requires a JSON statement. So I'm lost.

Screenshot

asked 2 years ago593 views
2 Answers
2

We had the same issue while implementing the AWS Backup solution for VMware Cloud. We were using the default role "AWSBackupDefaultServiceRole" which had the same issue.

**Problem : ** Seems that the Backup Gateway is not able to assume the role

**Solution: ** We created a new role and assigned the policies as mentioned below. In the trust relationship policy we updated as below.

**Detailed steps: **

  1. Create a custom role similar to the default role "AWSBackupDefaultServiceRole"
  2. Assign the policies " AWSBackupServiceRolePolicyForBackup" , "AWSBackupServiceRolePolicyForRestrore", and "AWS BackupGatewayServiceRolePolicyForVirtualMachineMetadataSync"
  3. Update trust relationship policy as below

{
    “Version”: “2012-10-17",
    “Statement”: [
        {
            “Effect”: “Allow”,
            “Principal”: {
                “Service”: “backup-gateway.amazonaws.com”
            },
            “Action”: “sts:AssumeRole”
        }
    ]
}

This resolved our problem and we were able to progress with the implementation.

Thank you

AWS
EXPERT
answered 2 years ago
  • This worked for me! What a life saver. Thank you.

0

Little confuse, but you can have just one KMS Key to backup both environment (OnPrem or VMC on AWS)

They have to use AWS KMS.

Virtual machine backups are always encrypted. The AWS KMS encryption key for virtual machine backups is configured in the AWS Backup vault that the virtual machine backups are stored in.

https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html

profile pictureAWS
EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions