How to configure Amazon Web Services when using IAM Role with NetBackup

How to configure Amazon Web Services when using IAM Role with NetBackup

Article: 100044514
Last Published: 2020-06-17
Ratings: 0 1
Product(s): NetBackup

This article discuss the configuration steps you need to perform in AWS to use I AM Roles with NetBackup.

For more information about using I AM Roles with NetBackup see, the NetBackup Cloud Administration Guide

See Amazon IAM web portal to know more about IAM Roles.

You need to perform the following configurations in Amazon for using AWS IAM Roles with NetBackup.

Create AWS IAM role

  1. In AWS console, create a Permission Policy based on the list of S3 permissions provided. 
    Following in an example of policy with NetBackup required permissions:

    {

        "Version": "2012-10-17",

        "Statement": [

            {

                "Effect": "Allow",

                "Action": [

                    "s3:GetBucketLocation",

                    "s3:ListAllMyBuckets",

                    "s3:CreateBucket",

                    "s3:ListBucket"

                ],

                "Resource": "arn:aws:s3:::*"

            },

            {

                "Effect": "Allow",

                "Action": [

                    "s3:PutObject",

                    "s3:GetObject",

                    "s3:DeleteObject",

                    "s3:RestoreObject",

                ],

                "Resource": [

                    "arn:aws:s3:::BucketName/*"

                ]

            }

        ]

    }

  2. In AWS Console, Add the Trust Relationship policy. Following is an example:

    {

      "Version": "2012-10-17",

      "Statement": [

        {

          "Effect": "Allow",

          "Principal": {

            "Service": "ec2.amazonaws.com"

          },

          "Action": "sts:AssumeRole"

        }

    }

  3. Create a role. 
    For detailed steps to creating AWS IAM role from AWS console, see Creating a Role for an AWS Service (Console).

    1. Create role

    2. Trusted Entity – AWS Service

    3. Service – EC2

    4. Add custom Permission Policy created previously

    5. Add Tag(s)

    6. Review

       
  4. Set NetBackup required S3 permissions. For details, see Permissions required for Amazon IAM user.
    NetBackup requires following set of permissions for S3 operations:

    • s3:CreateBucket

    • s3:ListAllMyBuckets

    • s3:ListBucket

    • s3:GetBucketLocation

    • s3:GetObject

    • s3:PutObject

    • s3:DeleteObject

      For Amazon Glacier, you need following additional permissions:

    • s3:RestoreObject

      For Amazon Glacier Tiering, you need the following additional permissions:

    • s3:PutLifecycleConfiguration

    • s3: GetLifecycleConfiguration

    • s3:PutObjectTagging

  5. Provide access to S3 bucket. Using AWS console, you can provide access permissions to S3 buckets.

  6. Establish trust relationship of IAM role with EC2 instance.
    For detailed steps to establish the trust relationship with EC2, see Using IAM Roles on EC2 instances.

Attach role to EC2 instance

For detailed steps to create EC2 instance with attached AWS IAM role, see I’ve created an IAM role, and now I want to assign it to an EC2 instance.

Although a role is usually assigned to an EC2 instance when you launch it, a role can also be attached to an EC2 instance that is already running. See, Attaching an IAM Role to an Instance

Only one role can be assigned to an EC2 instance at a time. All applications on the instance share the same role and permissions.

Known Issue

If you are using the latest cloudprovider.xml file with a NetBackup version earlier than 8.2, the IAM Role option will be visible, but you won't be able to configure it. 

Was this content helpful?