You can use an external ID with the AWS STS AssumeRole authentication method to allow AWS resources that you do not own or operate—specifically, in Commvault Cloud (SaaS) environments and managed service provider (MSP) environments—to assume an IAM role in order to access to your AWS account and perform data protection operations.
Using an external ID prevents the confused deputy problem and generally increases security. The Commvault software uses the external ID to assert the circumstances that it operates in when it assumes the specified IAM role. You can use the external ID to limit the circumstances that Commvault can operate in when it assumes the specified IAM role. When Commvault needs to access the AWS resources in your account, it calls the AWS sts:AssumeRole API. The call includes the ARN of the specified IAM role and the ExternalId parameter that corresponds to the external ID.
Considerations
-
If you are an MSP provider, each AWS account that you support needs its own external ID.
-
External IDs can be any unique string that complies with the AWS IAM name requirements.
Adding an External ID to the Trust Policy for an AWS Account
Use the following statement to add an external ID to the trust policy for an AWS account:
{
"Version": "2012-10-17"
"Statement": {
"Effect": "Allow",
"Principal": "AWS": "<account_ID>"},
"Action": "sts:AssumeRole",
"Condition": {"StringEquals": {"sts:ExternalID": "<external_ID>"}}
}
}Where:
-
<account_ID> is the AWS account ID of your Commvault shared services account.
-
<external_ID> is the external ID.