Configuring Amazon S3 Bucket Backups Using the IAM Role

To back up the Amazon S3 buckets of your Amazon S3 service account, you must create an IAM role and launch the EC2 VM with the IAM role having full permission to the S3 buckets.

You must also select the EC2 VM as the proxy client computer for the Amazon S3 Virtual Client.

Prerequisites

• Install the Cloud Apps package on the EC2 VM. See the following:

  • Preinstallation Checklist for Cloud Apps on Windows

  • Preinstallation Checklist for Cloud Apps on Linux

• Create an IAM role and launch the EC2 VM with the IAM role. For instructions, go to the Amazon Elastic Compute Cloud website, IAM Roles for Amazon EC2.

Procedure

1. From the CommCell Browser, right-click Client Computers, and then click New Client > Cloud Storage > Amazon S3.

   The New Amazon S3 Client dialog box appears.

2. On the General tab, provide the following details:

   1. In the Client Name box, type a name for the new virtual client.

   2. In the Instance Name box, type a name for the instance.

   3. In the Access Node box, select the EC2 VM as the proxy client computer where the Cloud Apps package is installed.

   4. In the Storage Policy box, select a storage policy for the backup and restore operations.

   5. In the Number of Data Backup Streams box, type the number of data streams to use for backups. The maximum value is 99.

      Note: The number of streams must not exceed the maximum number configured in the subclient storage policy. The CommServe allocates streams depending on the availability of resources.

3. On the Connection Details tab, provide the following details:

   1. In the Host URL box, type the Amazon S3 service account URL (s3.amazonaws.com).

   2. In the Amazon S3 Access Key ID box, type the IAM role name that has permissions on the Amazon S3 bucket. For example, IAM:role_name.

      In the Secret Access Key box, type N/A.

      Note

      For AWS Outposts, to use IAM user credentials of AWS account “b” to assume a role in AWS account “a” to access the S3 buckets in AWS account “a”, by using STS Assume Role authentication, use the following format for credentials:

      • Host URL: outpost_ID.s3-outposts.region.amazonaws.com
        For example, op-1f121e54d0a908a0t.s3-outposts.us-east-1.amazonaws.com.

      • Access key: Assume_Role_ARN|-|Account_Access_Key
        For example, arn:aws:iam::247528017653:role/outpost-shared-commvault|-|AKIAZJHDCPFRNITGW34L.

      • Secret key: The secret key of the account.
        For example, xxccxvcvcvcvcvcc.

4. Click OK.

Result

The Commvault software creates an Amazon S3 virtual client that contains a default instance.