- Knowledge Base Listing Page
- How to upgrade an IAM Role to match new requirements
How to upgrade an IAM Role to match new requirements
| KB ID: | 3199 |
| Product: | Veeam Backup for AWS |
| Version: | 2.x and later |
| Published: | 2020-06-24 |
| Last Modified: | 2020-12-11 |
Cheers for trusting us with the spot in your mailbox!
Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest
Challenge
After upgrading Veeam Backup for AWS you can receive the following notifications:
- “Role for account <Account Name> has insufficient permissions for workers management. You need to grant them first”
- “Role for account <Account Name> has insufficient permissions to use change-tracking in policies. You need to grant them first”
You might also want to add the missing IAM Role permissions after the Check Permissions operation performing - here you will find information on how to create access keys and a list of necessary permissions for the user, whose keys you will use to upgrade an IAM role.
Solution
The usual cause is the Worker IAM Role missing required permissions from the list below.
To resolve this issue manually, you should add the following permissions to your Worker IAM Role.
"ec2:AttachVolume",
"ec2:CopySnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeConversionTasks",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:GetEbsDefaultkmsKeyId",
"ec2:ModifyInstanceAttribute",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"iam:GetContextKeysForPrincipalPolicy",
"iam:PassRole",
"iam:SimulatePrincipalPolicy",
"kms:CreateGrant",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:ListAliases",
"kms:ListKeys",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",Alternatively, you can use the Check Permissions button on the Accounts page within the Configuration section to see the list of missing permissions.
To let Veeam Backup for AWS grant the missing permissions:
- Click on the notification message.
- In the IAM Roles Update window, provide access keys of an IAM user that is authorized to update permissions of the IAM role, and then click Apply.
- To make sure that the missing permissions were successfully granted, perform Check AWS Permissions for the updated role on the Accounts page.
How to generate access keys for automatically IAM Role update
To learn how to create access keys, see the AWS Documentation.
The user whose keys you will use to upgrade an IAM role should have the following permissions:
"iam:CreatePolicy",
"iam:GetRole",
"iam:GetPolicy",
"iam:AttachRolePolicy"To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Spelling error in text
Thank you!
Your feedback has been received and will be reviewed.
Oops! Something went wrong.
Please try again later.
KB Feedback/Suggestion
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Thank you!
Your feedback has been received and will be reviewed.