Authentication for AWS Accounts


To configure an Amazon hypervisor, you must authenticate the hypervisor configuration with the Amazon Web Services (AWS) account.

You can choose one of the following methods for authenticating an Amazon hypervisor configuration in Commvault:

  • IAM role: By associating an IAM role with Commvault access nodes, you can provide role-based permissions to perform operations for a specific AWS account without using stored credentials.

  • Assume role: You can associate a predefined role with a Commvault hypervisor configuration. With this authentication method, the hypervisor uses the Security Token Service (STS) to assume an AWS Identity and Access Management (IAM) role that provides policy-based access to AWS resources.

    Authentication using an assumed role is the most secure method, because it provides strictly defined role-based access to AWS resources and provides operational access without requiring that you store access keys in the Commvault database. This method also provides flexibility, because a single role can be used to manage operations for different AWS accounts, and because it makes it easier to rotate credentials without needing to reconfigure hypervisors in Commvault.

  • Access key and secret key: To use an access key and secret key, obtain a key pair (access key and secret key) from the Amazon EC2 website section on Security Credentials.

    Authentication using key pairs is the least secure method of authentication, because it grants greater access to AWS resources than is required for daily operations. It also increases management overhead to maintain configurations when credentials are rotated.

IAM Role

To authenticate using an IAM role, perform the following configuration:

  • Deploy Commvault access nodes on compute-optimized instances hosted in Amazon.

  • If you select this option, select an access node that has an IAM role associated with it in the AWS Console.

    If you select IAM role for the Amazon hypervisor configuration, but an access node that is not associated with the IAM role is used for an operation, the operation fails.

    The IAM role must have appropriate permissions, which can be any of the following:

STS Assume Role with IAM Policy

To use an (Security Token Service) STS role with IAM policy, perform the following configuration:

  • Deploy Commvault access nodes on compute-optimized instances hosted in Amazon.

    The access nodes must have access to the Regional STS endpoints if the region is set in the VSA hypervisor. Otherwise, access to the Regional STS and Zonal STS endpoints is required.

    • Regional STS endpoints: For example, for instances in a region called us-east-1, the endpoint would be

    • Zonal STS endpoints: For example, the zonal endpoints in the us-east-1 region are us-east-1a, us-east-1b, and us-east-1c.

  • Define an IAM administrator role and attach an IAM policy that includes the sts:AssumeRole permission.

  • Associate the IAM admin role with the Commvault access nodes.

  • Download the amazon_restricted_role_permissions.json policy file to specify the permissions for required operations.

  • Define an IAM operations role and attach the amazon_restricted_role_permissions.json policy file to provide the permissions required to access AWS resources and perform required operations.

  • To the IAM operations role, add the admin account ID (Self) as a trusted entity that can use this role.

  • Copy the role ARN (Amazon Resource Name) for the tenant operations role.

  • Configure the Amazon hypervisor using the role ARN for the tenant operations role, and add access nodes that have the IAM operations role associated for the hypervisor configuration.

Access Key and Secret Key

If you select this option during the Commvault hypervisor configuration, provide the following information:

  • Access Key ID that is associated with your Amazon account.

  • Secret Access Key that is associated with your Amazon account.

To apply an IAM policy for the hypervisor when you use this authentication method, you can attach an IAM policy to the user who is associated with the access and secret key.