Backing up several AWS accounts?

[nhwanderer]

Hi all,

We have around 6 AWS accounts in an AWS organization structure, each serving as a sandbox or production environment for a different group. I'm trying to figure out if it's possible to backup resources in these accounts from a single Veeam Backup for AWS console. It looks like the structure is there to backup a single remote account, but I can't figure out how to backup several. Guidance would be very appreciated.

Thank you!

[nielsengelen]

Hi,

This is possible by adding additional IAM roles from another account (external account). For more information, see the user guide.

[lando_uk]

I'm also having a hard time finding this info or an install guide when using multiple accounts. It's all very vague, is there a blog or set of videos that goes over everything. This is bound to be a common requirement.

[nielsengelen]

Hi Mark,

Thanks for the feedback.

Right now, there are 3 steps that u need to follow which are mentioned in user guide. You'll have to follow all the steps listed on the AWS documentation and once this external account is created, you can add it to VB for AWS.

We'll look into a way to enhance the documentation to make it more clear.

[aquegles]

Hello, sorry for jumping in this post, but i have some issues with VB for AWS cross account backup.
So, i followed the steps from both veeam and aws guides, and successfully added the IAM role to VB for AWS.
But, when i check the permissions for the role, it says "The role is not assigned anywhere".
Where should i assign the role? somwhere on the second account or in my primary account with VB AWS?

Thanks!
Regards

[nielsengelen]

Hi Alejandro, is this via the check permission button on the IAM role page or is this within a policy?

[aquegles]

Hello nielsengelen
Yes, this is via check permission button.
I'm not being able to find the required permissions for IAM role on cross account for backup of the second account resources. Should it be full EC2 resources access?

Thanks!

[nielsengelen]

Hi Alejandro,

The list is available via https://www.veeam.com/kb3032. We are planning to enhance the user guide around this topic.

[aquegles]

Hello,

If i understand correctly, i should create a role with the policies described under "Isolated from production backup deployment" in the secondary account and make it available from the primary account.

Then, on Veeam for aws i must add this new role selecting as trusted entity "Another AWS account", using the primary aws account ID and the external ID from the role created in the secondary account?

This will allow the primary account on which Veeam is deployed to backup resources from the secondary account?

Thanks again
Regards!

[nielsengelen]

Hi, correct. This is the right order to configure it.

[aquegles]

Hello,

I followed the steps for adding the secondary account, and when i add the role to Veeam, it says : Invalid role or credentials for specified account. Status code : Forbbiden.

But, when i put the secondary account id on the account id, the configuration ends with no error.
The thing when this is configured, the added iam role can't see any resources from the secondary account.

I have a case opened in support, but the response time is pretty slow..

is there something i'm missing?

Thanks

[nielsengelen]

From your description, I can't see anything missing/wrong. Would you be able to share the support case ID so I can check it up internally?

[aquegles]

Of course.
Is Case #04801687

[nielsengelen]

I noticed they gave you a link to a KB which also describes a similar issue around Trust relationships which may be the solution to this. Can u verify in the second account under the created role (https://console.aws.amazon.com/iam/home?#/roles) under the "Trust relationships" tab, you can see the external account ID?

It should look something like this (but with the other account ID under trusted entities which I filtered out): https://www.dropbox.com/s/cm6fqqc0eoz0k ... p.png?dl=0

Additionally, can u also verify what support provided u via https://www.veeam.com/kb3120 is correct?

[aquegles]

Hi,

This is how it looks like in my secondary account ( after following the kb https://www.veeam.com/kb3120 provided by support)

https://drive.google.com/file/d/1Zj4K1Y ... sp=sharing

Before following this kb, i had the Trusted Entity like your screenshot.

[nielsengelen]

I fear that to understand exactly which account is the issue, we need the logs. Did u already export these and add them to the case for the engineer? This will greatly help troubleshooting.

[nielsengelen]

I also talked to support. They will contact you ASAP to further assist you.

[aquegles]

I've just attached the logs to the support case.
I'll wait for support to contact me.
Thanks for all your help!

[nielsengelen]

I notice the case is still ongoing and I've asked our team to provide you with an update to resolve the issue. From the looks of it, it is related to a missing permission for one of the accounts.

[aquegles]

Hello Niels, and thanks for your help!

A tier 2 engineer contacted me and told me that what i needed to do is simply configure a backup job for the entire region on the secondary account. This would make Veeam able to list the resources there.
I did this and it worked, now i can perform cross account backups.

The role on the secondary account has as trusted entity the VeeamImpersonationRoleV1 created by the cloudformation stack, with the external ID configurated.
The only thing that differs from the configuration you suggested me is that the IAM account on Veeam has as accountID the ID from the secondary account.

As a side note, i'd like to say that the Veeam on AWS documentation is clearly poor and lacking with a lot of information on basic inital configurations needed. For example, this step needed for the listing of resources, or the KB that you send me on this post are not in any of the guides.
Hopefully it'll be updated soon.

Thanks again for all your help!!
Regards

[nielsengelen]

Hi Alejandro, yes - we will for sure adjust the documentation and/or KB based upon this feedback hence why I pushed the support team to assist you asap.

Any other feedback is welcome!