https://login.veeam.com/en/oauth?client_id=nXojRrypJ8&redirect_uri=https%3A%2F%2Fwww.veeam.com%2Fservices%2Fauthentication%2Fredirect_url&response_type=code&scope=profile&state=eyJmaW5hbFJlZGlyZWN0TG9jYXRpb24iOiJodHRwczovL3d3dy52ZWVhbS5jb20va2IzMTk5IiwiaGFzaCI6ImNkYTE2YjkzLTBkOTctNDZlMi1hYWQ0LTIzZDdlODUyYWM5MyJ9
1-800-691-1991 | 9am - 8pm ET
EN

How to upgrade an IAM Role to match new requirements

Challenge

After upgrading Veeam Backup for AWS you can receive the following notifications:
  • “Role for account <Account Name> has insufficient permissions for workers management. You need to grant them first”
  • “Role for account <Account Name> has insufficient permissions to use change-tracking in policies. You need to grant them first”

You might also want to add the missing IAM Role permissions after the Check Permissions operation performing - here you will find information on how to create access keys and a list of necessary permissions for the user, whose keys you will use to upgrade an IAM role

Solution

Within Veeam Backup for AWS, this happens when several new features and improvements are introduced. As a result, it requires new permissions for Worker IAM Role to operate normally. You will see these notifications if any role on the accounts page is missing some permissions.

The usual cause is the Worker IAM Role missing required permissions from the list below.
To resolve this issue manually, you should add the following permissions to your Worker IAM Role:
"ebs:ListChangedBlocks"
"ebs:ListSnapshotBlocks"
"ec2:DescribeVolumeAttribute"
"ec2:GetEbsDefaultKmsKeyId"
"kms:CreateGrant"
"kms:GetKeyPolicy"
"kms:ReEncryptFrom"
"kms:ReEncryptTo"
"sqs:SetQueueAttributes"
"iam:GetContextKeysForPrincipalPolicy"
"iam:SimulatePrincipalPolicy"
Alternatively, you can use the Check Permissions button on the Accounts page within the Configuration section to see the list of missing permissions.

To let Veeam Backup for AWS grant the missing permissions:

  1. Click on the notification message.
  2. In the IAM Roles Update window, provide access keys of an IAM user that is authorized to update permissions of the IAM role, and then click Apply.
    User-added image
    Note: Veeam Backup for AWS does not store one-time access keys in the configuration database.
  3. To make sure that the missing permissions were successfully granted, perform Check AWS Permissions for updated role on the Accounts page.

How to generate access keys for automatically IAM Role update

To learn how to create access keys, see the AWS Documentation.

The user whose keys you will use to upgrade an IAM role should have the following permissions:

"iam:CreatePolicy",
"iam:GetRole",
"iam:GetPolicy",
"iam:AttachRolePolicy"
KB ID:
3199
Product:
Veeam Backup for AWS
Version:
2.x and later
Published:
2020-06-24
Last Modified:
2020-08-13
Please rate how helpful this article was to you:
5 out of 5 based on 1 ratings
Thank you for helping us improve!
An error occurred during voting. Please try again later.

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.
Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text

Knowledge base content request
By submitting, you agree that your personal data will be managed by Veeam in accordance with the Privacy Policy.

ty icon

Thank you!

We have received your request and our team will reach out to you shortly.

OK

error icon

Oops! Something went wrong.

Please go back try again later.