This article discusses the configuration steps you need to perform in AWS to use IAM Roles with NetBackup.
For more information about using IAM Roles with NetBackup see, the NetBackup Cloud Administration Guide.
See Amazon IAM web portal to know more about IAM Roles.
You need to perform the following configurations in Amazon for using AWS IAM Roles with NetBackup.
Create AWS IAM role
- In AWS console, create a Permission Policy based on the list of S3 permissions provided.
Following is an example of policy with NetBackup required permissions. Note that the s3:GetBucketObjectLockConfiguration, s3:DeleteObject, s3:PutObject, and s3:GetObject entries shown below are requirements for the 10.3 and greater releases.{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["s3:GetBucketLocation","s3:ListAllMyBuckets","s3:CreateBucket","s3:ListBucket""s3:GetBucketObjectLockConfiguration",> "s3:DeleteObject","s3:PutObject""s3:GetObject"],"Resource": "arn:aws:s3:::*"},{"Effect": "Allow","Action": ["s3:GetObject","s3:RestoreObject"],"Resource": ["arn:aws:s3:::BucketName/*"]}]} - In AWS Console, Add the Trust Relationship policy. Following is an example:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"}} Create a role.
For detailed steps to creating AWS IAM role from AWS console, see Creating a Role for an AWS Service (Console).Create role
Trusted Entity – AWS Service
Service – EC2
Add custom Permission Policy created previously
Add Tag(s)
Review
Set NetBackup required S3 permissions. For details, see Permissions required for Amazon IAM user.
NetBackup requires the following set of permissions for S3 operations. Note that the s3:GetBucketObjectLockConfiguration option shown below is a requirement for the 10.3 and greater releases.s3:CreateBucket
s3:GetBucketObjectLockConfiguration
s3:ListAllMyBuckets
s3:ListBucket
s3:GetBucketLocation
s3:GetObject
s3:PutObject
s3:DeleteObject
For Amazon Glacier, you need following additional permissions:s3:RestoreObject
For Amazon Glacier Tiering, you need the following additional permissions:s3:PutLifecycleConfiguration
s3: GetLifecycleConfiguration
s3:PutObjectTagging
Provide access to S3 bucket. Using AWS console, you can provide access permissions to S3 buckets.
Resource-based policies and AWS Identity and Access Management (IAM) policies
Resource-based Access Control List (ACL) and IAM policies
Cross-account IAM roles
For detailed steps to configure cross account AWS IAM role, see Tutorial: Delegate Access Across AWS Accounts Using IAM Roles
Establish trust relationship of IAM role with EC2 instance.
For detailed steps to establish the trust relationship with EC2, see Using IAM Roles on EC2 instances.
Attach role to EC2 instance
For detailed steps to create EC2 instance with attached AWS IAM role, see I’ve created an IAM role, and now I want to assign it to an EC2 instance.
Although a role is usually assigned to an EC2 instance when you launch it, a role can also be attached to an EC2 instance that is already running. See, Attaching an IAM Role to an Instance
Only one role can be assigned to an EC2 instance at a time. All applications on the instance share the same role and permissions.
Known Issue
If you are using the latest cloudprovider.xml file with a NetBackup version earlier than 8.2, the IAM Role option will be visible, but you won't be able to configure it.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.