Veeam Support Knowledge Base
How to Create Custom IAM Role to Connect to the Repository

How to Create Custom IAM Role to Connect to the Repository

KB ID:	3033
Product:	Veeam Backup for AWS
Version:	Any
Published:	2019-12-02
Last Modified:	2022-03-17

By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

Oops! Something went wrong.

Please try again later.

Challenge

The backup service is using the IAM Role to generate temporary access keys to connect to the S3 bucket where backup data is stored (Veeam Backup Object Repository).

Solution

Use the following JSON to create an IAM Policy by following the instructions from the How to create IAM Policy article.
These permissions will allow the backup service to access the S3 repository to save/load data to/from an object repository.

Note: Replace yourbucketname (lines 11 and 19) with the actual bucket name.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::yourbucketname/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::yourbucketname"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "ec2:DescribeRegions"
            ],
            "Resource": "*"
        }
    ]
}
                
            

In AWS Management Console, navigate to IAM Management Console (Services -> Security, Identity & Compliance -> IAM).
Click Create role.
Select the type of the trusted entity AWS Service.
Choose S3 in Choose the service that will use this role.
Choose S3 in Select your use case.
Click Next: Permissions.
in the filter policies search box, enter the name of the policy created in the Step 1.
In the first column, select the policy.
Click Next: Tags.
Enter tagging info and click Next: Review.
Give a name to the IAM Role. You will be using this name in the Veeam Backup for AWS UI (e.g. vb4aws_repo1role).
Click Create role.
One the role is created, you will be able to see it in the list of available roles.
To add this role to the Veeam Backup for AWS service, you must update "Trust relationships" for the created role as described in this article.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

Product

Topic

Description

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Verify your email to continue your product download

We've sent a verification code to:

An email with a verification code was just sent to

Didn't receive the code? Click to resend in sec

Didn't receive the code? Click to resend

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.