Complete the following configurations before connecting your AWS account to discover and protect resources.
AWS configuration
Complete the following configurations in your AWS account before creating a cloud connection.
Configure an access node
Configure an access node in your AWS account. For information about configuring an access node, see Configuring an Access Node for Amazon EC2.
Note
-
The CloudFormation Stack creates an EC2 instance as Commvault access node and assigns the CommvaultAdminRole IAM role.
-
Make sure that the CommvaultAdminRole is available in your account before launching the CloudFormation Stack template.
If the CommvaultAdminRole IAM role is not available, you must create one.
Steps to create CommvaultAdminRole IAM role
-
Click the Launch CloudFormation Stack link to open the AWS console for the AWS shared services account.
Important
If you do not have permission to create a role in the AWS account, copy the Launch CloudFormation Stack link and share it with your AWS IAM administrator.
-
Log on to the AWS console.
The Quick create stack page appears.
-
Under Capabilities, read the information about the template, and then select the acknowledgment check box.
-
Click Create stack.
Wait for the CloudFormation Stack to finish creating the CommvaultAdminRole IAM role. The CloudFormation Stack creates an IAM policy called CommvaultAdminRole-STSAssumePolicy for STS Assume Role authentication, and then attaches the policy to CommvaultAdminRole.
-
Return to the Commvault configuration wizard.
For instructions, see Configuring an Access Node for Amazon EC2.
Create an AWS IAM user
To create an AWS IAM user with sts:assumeRole permission, do the following:
-
Open the AWS Cloud Shell command prompt as Commvault AWS user.
-
Run the following:
aws iam create-user --user-name CommvaultAssumeRoleUser | jq -r '.User.Arn' aws iam put-user-policy --user-name CommvaultAssumeRoleUser \ --policy-name AssumeRolePolicy \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] }' -
To get access key ID and secret access key, run the following command:
aws iam create-access-key --user-name CommvaultAssumeRoleUser | jq -r '.AccessKey' -
To get the User ARN, run the following command:
aws iam get-user --user-name CommvaultAssumeRoleUser | jq -r '.User.Arn'
Commvault configuration
Create credentials for IAM user
To create credentials with access key and secret created for IAM User, in the Credential Vault, see Adding a Credential to a Built-in Credential Vault.
Use the following custom values:
|
Field |
Value / Description |
|---|---|
|
Account Type |
Cloud account |
|
Vendor Type |
Amazon Web Services |
|
Authentication Type |
Access & Secret keys |
|
Credential name |
AWS IAM Assume Role TCO Assessment |
|
Access Key ID |
The access key ID associated with the AWS IAM user with |
|
Secret Access Key |
The secret access key associated with the AWS IAM user with |
|
Description |
Enter a description for the credential. |
Configure the additional settings
Configure the AWS Hosted Infrastructure Role ARN and AWS Hosted Infrastructure User ARN settings using the role ARN of the new access node and IAM user respectively in the Command Center application. For instructions, see Adding a CommCell Setting.
Create server group
Configure a server group with the access node created in your AWS account. For instructions, see Adding a Server Group by Using Manual Association.
Create resource pool
Create a workload resource pool for AWS cloud connection. For instructions, see Add a Workload Resource Pool.
Important
-
The workload resource pool must have the server group associated with the access node.
-
The workload resource pool and the access node must be in the same region.