Step 3.1 Specify IAM Role
In the IAM role section of the Sources step of the wizard, you must specify an IAM role whose permissions will be used to access AWS services and resources, and to create cloud-native snapshots of EC2 instances. If you specify an IAM role created in another AWS account, the backup policy will process EC2 instances on which the specified IAM role has permissions in that AWS account.
For an IAM role to be displayed in the IAM role list, it must be added to Veeam Backup for AWS as described in Adding IAM Roles. If you have not added the necessary IAM role to Veeam Backup for AWS beforehand, you can do it without closing the Add Policy wizard. To add an IAM role, click Add and complete the Add IAM Role wizard.
It is recommended that you check whether the selected IAM role has all the required permissions to perform backup. If the IAM role permissions are insufficient, the backup policy will fail. To run the IAM role permission check, click Check Permissions. Veeam Backup for AWS will display the Permission check window where you can view the progress and results of the performed check. If the IAM role permissions are insufficient, the check will complete with errors. You can view the list of permissions that must be granted to the IAM role in the Missing Permissions column. For more information on required permissions, see EC2 Backup IAM Role Permissions.
You can grant the missing permissions to the IAM role in the IAM Management Console or instruct Veeam Backup for AWS to do it. To learn how to grant permissions to an IAM Role using the IAM Management Console, see AWS Documentation.
- In the Permission check window, click Grant.
- In the Grant Permissions window, provide one-time access keys of an IAM user that is authorized to update permissions of the IAM role, and then click Apply.
The IAM user whose access keys are used to update the IAM role must have the following permissions:
Veeam Backup for AWS does not store one-time access keys in the configuration database.
- To make sure that the missing permissions were successfully granted, click Recheck.