For faster restores for S3 Glacier to operate, you must allow the creation of new S3 Batch Operations jobs from your existing Commvault MediaAgents, and allow those jobs to perform S3 Glacier Restore Operations.
Procedure
-
Create a new IAM role for Amazon S3 Batch Operations to assume during batch restores using the IAM permissions in Faster_Restores_Amazon_S3_Glacier_IAM_role_permissions.json.
-
Create your new Amazon S3 Glacier bucket, and associated Commvault Cloud Storage location, and ensure that the MediaAgent IAM identity (role) is granted
s3:CreateJob and iam:PassRolepermission to pass the IAM role to be used for the restore. Ensure the `iam:PassRole`` permission is restricted to the role created in step 1 (that is, "Resource": "arn:aws:iam::accountid:role/newly-created-IAM-role-for-batch-restores").Alternatively, you can modify an existing Commvault MediaAgent IAM user, group, or role and add the
s3:CreateJobandiam:PassRolepermissio. -
Allow the S3 Batch Operations service principle to assume the IAM role, attach the following trust policy to the role modified in step 2 by editing the trust relationship for an existing role. Paste the content of S3 Batch Operations $[s3batchoperations_trust_policy.JSON] (file:products/vs_amazon_s3/templates/s3batchoperations_trust_policy.json) into the trust policy editor, and then select Update policy.