Agentless, cloud-native backup for Amazon Web Services (AWS)
Post Reply
nhwanderer
Novice
Posts: 8
Liked: 1 time
Joined: Oct 13, 2017 7:37 pm
Full Name: Jordan Desroches
Contact:

Backing up several AWS accounts?

Post by nhwanderer »

Hi all,

We have around 6 AWS accounts in an AWS organization structure, each serving as a sandbox or production environment for a different group. I'm trying to figure out if it's possible to backup resources in these accounts from a single Veeam Backup for AWS console. It looks like the structure is there to backup a single remote account, but I can't figure out how to backup several. Guidance would be very appreciated.

Thank you!
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Backing up several AWS accounts?

Post by nielsengelen »

Hi,

This is possible by adding additional IAM roles from another account (external account). For more information, see the user guide.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
lando_uk
Veteran
Posts: 371
Liked: 32 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: Backing up several AWS accounts?

Post by lando_uk »

I'm also having a hard time finding this info or an install guide when using multiple accounts. It's all very vague, is there a blog or set of videos that goes over everything. This is bound to be a common requirement.
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Backing up several AWS accounts?

Post by nielsengelen »

Hi Mark,

Thanks for the feedback.

Right now, there are 3 steps that u need to follow which are mentioned in user guide. You'll have to follow all the steps listed on the AWS documentation and once this external account is created, you can add it to VB for AWS.

We'll look into a way to enhance the documentation to make it more clear.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
aquegles
Enthusiast
Posts: 33
Liked: never
Joined: Aug 21, 2014 7:39 pm
Full Name: Alejandro Quegles
Contact:

Re: Backing up several AWS accounts?

Post by aquegles »

Hello, sorry for jumping in this post, but i have some issues with VB for AWS cross account backup.
So, i followed the steps from both veeam and aws guides, and successfully added the IAM role to VB for AWS.
But, when i check the permissions for the role, it says "The role is not assigned anywhere".
Where should i assign the role? somwhere on the second account or in my primary account with VB AWS?

Thanks!
Regards
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Backing up several AWS accounts?

Post by nielsengelen » 1 person likes this post

Hi Alejandro, is this via the check permission button on the IAM role page or is this within a policy?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
aquegles
Enthusiast
Posts: 33
Liked: never
Joined: Aug 21, 2014 7:39 pm
Full Name: Alejandro Quegles
Contact:

Re: Backing up several AWS accounts?

Post by aquegles »

Hello nielsengelen
Yes, this is via check permission button.
I'm not being able to find the required permissions for IAM role on cross account for backup of the second account resources. Should it be full EC2 resources access?

Thanks!
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Backing up several AWS accounts?

Post by nielsengelen »

Hi Alejandro,

The list is available via https://www.veeam.com/kb3032. We are planning to enhance the user guide around this topic.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
aquegles
Enthusiast
Posts: 33
Liked: never
Joined: Aug 21, 2014 7:39 pm
Full Name: Alejandro Quegles
Contact:

Re: Backing up several AWS accounts?

Post by aquegles »

Hello,

If i understand correctly, i should create a role with the policies described under "Isolated from production backup deployment" in the secondary account and make it available from the primary account.

Then, on Veeam for aws i must add this new role selecting as trusted entity "Another AWS account", using the primary aws account ID and the external ID from the role created in the secondary account?

This will allow the primary account on which Veeam is deployed to backup resources from the secondary account?

Thanks again
Regards!
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Backing up several AWS accounts?

Post by nielsengelen »

Hi, correct. This is the right order to configure it.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
aquegles
Enthusiast
Posts: 33
Liked: never
Joined: Aug 21, 2014 7:39 pm
Full Name: Alejandro Quegles
Contact:

Re: Backing up several AWS accounts?

Post by aquegles »

Hello,

I followed the steps for adding the secondary account, and when i add the role to Veeam, it says : Invalid role or credentials for specified account. Status code : Forbbiden.

But, when i put the secondary account id on the account id, the configuration ends with no error.
The thing when this is configured, the added iam role can't see any resources from the secondary account.

I have a case opened in support, but the response time is pretty slow..

is there something i'm missing?

Thanks
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Backing up several AWS accounts?

Post by nielsengelen »

From your description, I can't see anything missing/wrong. Would you be able to share the support case ID so I can check it up internally?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
aquegles
Enthusiast
Posts: 33
Liked: never
Joined: Aug 21, 2014 7:39 pm
Full Name: Alejandro Quegles
Contact:

Re: Backing up several AWS accounts?

Post by aquegles »

Of course.
Is Case #04801687
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Backing up several AWS accounts?

Post by nielsengelen »

I noticed they gave you a link to a KB which also describes a similar issue around Trust relationships which may be the solution to this. Can u verify in the second account under the created role (https://console.aws.amazon.com/iam/home?#/roles) under the "Trust relationships" tab, you can see the external account ID?

It should look something like this (but with the other account ID under trusted entities which I filtered out): https://www.dropbox.com/s/cm6fqqc0eoz0k ... p.png?dl=0

Additionally, can u also verify what support provided u via https://www.veeam.com/kb3120 is correct?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
aquegles
Enthusiast
Posts: 33
Liked: never
Joined: Aug 21, 2014 7:39 pm
Full Name: Alejandro Quegles
Contact:

Re: Backing up several AWS accounts?

Post by aquegles »

Hi,

This is how it looks like in my secondary account ( after following the kb https://www.veeam.com/kb3120 provided by support)

https://drive.google.com/file/d/1Zj4K1Y ... sp=sharing

Before following this kb, i had the Trusted Entity like your screenshot.
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Backing up several AWS accounts?

Post by nielsengelen »

I fear that to understand exactly which account is the issue, we need the logs. Did u already export these and add them to the case for the engineer? This will greatly help troubleshooting.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Backing up several AWS accounts?

Post by nielsengelen »

I also talked to support. They will contact you ASAP to further assist you.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
aquegles
Enthusiast
Posts: 33
Liked: never
Joined: Aug 21, 2014 7:39 pm
Full Name: Alejandro Quegles
Contact:

Re: Backing up several AWS accounts?

Post by aquegles »

I've just attached the logs to the support case.
I'll wait for support to contact me.
Thanks for all your help!
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Backing up several AWS accounts?

Post by nielsengelen »

I notice the case is still ongoing and I've asked our team to provide you with an update to resolve the issue. From the looks of it, it is related to a missing permission for one of the accounts.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
aquegles
Enthusiast
Posts: 33
Liked: never
Joined: Aug 21, 2014 7:39 pm
Full Name: Alejandro Quegles
Contact:

Re: Backing up several AWS accounts?

Post by aquegles »

Hello Niels, and thanks for your help!

A tier 2 engineer contacted me and told me that what i needed to do is simply configure a backup job for the entire region on the secondary account. This would make Veeam able to list the resources there.
I did this and it worked, now i can perform cross account backups.

The role on the secondary account has as trusted entity the VeeamImpersonationRoleV1 created by the cloudformation stack, with the external ID configurated.
The only thing that differs from the configuration you suggested me is that the IAM account on Veeam has as accountID the ID from the secondary account.

As a side note, i'd like to say that the Veeam on AWS documentation is clearly poor and lacking with a lot of information on basic inital configurations needed. For example, this step needed for the listing of resources, or the KB that you send me on this post are not in any of the guides.
Hopefully it'll be updated soon.

Thanks again for all your help!!
Regards
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Backing up several AWS accounts?

Post by nielsengelen »

Hi Alejandro, yes - we will for sure adjust the documentation and/or KB based upon this feedback hence why I pushed the support team to assist you asap.

Any other feedback is welcome!
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest