You can configure a virtualization client (hypervisor) for Amazon Web Services (AWS) for STS role authentication, if the access node and the guest instance are in the same Amazon account.
You can configure a virtualization client (hypervisor) for Amazon Web Services (AWS) for STS role authentication. STS role authentication allows an Amazon admin IAM user/role to assume the permissions of an Amazon tenant IAM user/role. Following methods of deployments are possible:
-
Single account: The access node and the guest instance can be in the same Amazon account.
-
Multi-account: The access node and the guest instance can be in separate Amazon accounts, see Using Resources from an Admin Account.
Available Features
-
Streaming backups.
-
Full instance restores.
-
Attach volume to an existing instance or a new instance.
-
Live browse and guest file-level restores, agentless restores, and download of files.
-
Conversion from VMware and Hyper-V to AWS using the AWS VM Import/Export transport mode or the Commvault HotAdd transport mode.
-
Live Sync or disaster recovery from VMware to AWS.
-
Live Sync or disaster recovery from AWS to AWS, within the same region or cross region.
-
Automatic scaling of access nodes.
-
IntelliSnap backups.
-
File indexing.
-
Snapshot replication to a different region.
-
Snapshot replication and sharing to a different account, and making a copy of the snapshot.
Before You Begin
The access node must have access to the regional and global STS endpoints. For more information about AWS service endpoints, see AWS service endpoints on the AWS documentation site.
-
Global STS endpoints: The service endpoint is https://sts.amazonaws.com.
-
Regional STS endpoints: For example, https://sts.us-east-1.amazonaws.com, to back up instances on us-east-1.
For more information about STS endpoints and quotas, see AWS Security Token Service endpoints and quotas on the AWS documentation site.
Procedure
-
In the AWS console, from the admin account, create an IAM role (for example, vsa_assume_role) and attach policy with the sts:AssumeRole permission, and then assign the role to the VSA access node.
For more information about assigning Amazon user permissions by creating a policy, see Overview of IAM Policies on the AWS documentation site.
-
Create another IAM role (for example, vsa_role), and attach the policy required for backup and restore operation.
Download the amazon_restricted_role_permissions.json file.
-
Add the admin account ID (Self) as trusted entity in the role created in step 2 in the admin account.
For more information about editing trust relationships, see Modifying a Role Trust Policy on the AWS documentation site.
What to Do Next
Provide the admin account role ARN at the time of adding an Amazon hypervisor, see Creating an Amazon Client.