Agentless, cloud-native backup for Amazon Web Services (AWS)
Post Reply
Asahi
Expert
Posts: 176
Liked: 12 times
Joined: Jun 03, 2016 5:44 am
Full Name: Iio Asahi
Location: Japan
Contact:
Contact Asahi

Regarding the IAM role assigned to the source EC2 instance in FLR's Additional Restore Mode

Post by Asahi »

Hi Team,

I am currently using VB4AWS to test a file-level restore to the original, but the “Restore” button is grayed out.
VB4AWS and the source EC2 instance (Amazon Linux) are in different AWS accounts.

The IAM role assigned to the source EC2 instance was created based on the following documentation.
https://helpcenter.veeam.com/docs/vbaws ... l-location
Of course, the SSM role has been assigned.

When I checked with support, I was told that the trust relationship for the IAM role assigned to the source EC2 instance does not meet Veeam’s requirements for file-level restores to the original location.
I was told that the following must be added:

Code: Select all

"AWS": "arn:aws:iam::<backup-account-id>:role/<VeeamImpersonationRole>"
In other words, the trust relationship appears to be as follows.

Code: Select all

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": "sts:AssumeRole",
     "Principal": {
       "Service": "ec2.amazonaws.com"
       "AWS": "arn:aws:iam::<backup-account-id>:role/<VeeamImpersonationRole>"
     }
   }
 ]
}
The original documentation on file-level restores that I referred to did not mention the VeeamImpersonationRole.
Is a Trust Relationship permission for the VeeamImpersonationRole required?
If so, why is the VeeamImpersonationRole not mentioned on this page?

Kind Regards,
Asahi,
Climb Inc.
Top
Royadiel
Veeam Software
Posts: 43
Liked: 10 times
Joined: Aug 19, 2022 8:51 pm
Full Name: Roy Adiel
Contact:
Contact Royadiel

Re: Regarding the IAM role assigned to the source EC2 instance in FLR's Additional Restore Mode

Post by Royadiel »

Hi Asahi,
Yes, that trust change is required for cross account FLR to the original location, and support are correct. Original location restore pushes files back through SSM + Kinesis, and when Veeam Backup for AWS is in a different account it has to assume a role into the source account to do that. Single account, that path is implicit (so the doc never mentions it) while in cross account, you have to grant it on the source instance's role. That's why the Restore button stays greyed out, the impersonation can't be established.

There's a community post that might help:
https://community.veeam.com/cloud-city- ... ation-5188

~Roy
Top
Asahi
Expert
Posts: 176
Liked: 12 times
Joined: Jun 03, 2016 5:44 am
Full Name: Iio Asahi
Location: Japan
Contact:
Contact Asahi

Re: Regarding the IAM role assigned to the source EC2 instance in FLR's Additional Restore Mode

Post by Asahi »

Hi Roy,

Thank you for reply.

I understand that if you're using a different account, you need to assume the VeeamImpersonationRole.
However, I wish Veeam would make this clear in their documentation.

Kind Regards,
Asahi,
Climb Inc.
Top
Royadiel
Veeam Software
Posts: 43
Liked: 10 times
Joined: Aug 19, 2022 8:51 pm
Full Name: Roy Adiel
Contact:
Contact Royadiel

Re: Regarding the IAM role assigned to the source EC2 instance in FLR's Additional Restore Mode

Post by Royadiel »

Noted, I will check internally how we can improve the wording to make this clearer.

~Roy
Top
Post Reply

Return to “Amazon Web Services”



Who is online

Users browsing this forum: No registered users and 21 guests