Before You Begin
When you deploy a backup appliance, Veeam Backup for AWS automatically creates a specific IAM role named Impersonation role — and attaches this role to the backup appliance. The Impersonation IAM role is then used to assume other IAM roles added to Veeam Backup for AWS to perform operations in your infrastructure, and is automatically assigned the sts:AssumeRole permission required to assume these roles.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "*" } ] } |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "<Role ARN>" } } ] } |
Configuring Trust Relationships
- Open the EC2 console and do the following:
- Navigate to Instances.
- In the Instances section, locate the EC2 instance running the backup appliance.
- On the Summary page, switch to the Security tab and click the link next to the IAM Role field. The IAM console will open.
- In the IAM console, do the following:
- Copy the value displayed in the ARN field — you will need it later.
- Navigate to Roles and locate the IAM role for which you want to configure trust relationships.
- On the Summary page, switch to the Trust relationships tab and click Edit trust policy.
- In the Edit trust policy field, add the following statement:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "<Role ARN>" } } ] } |
Where <Role ARN> is the ARN either of the Impersonation IAM role that you have copied at step 2a, or the ARN of the AWS account to which the backup appliance belongs.
- Click Update policy. Note that it may take up to 5 minutes for AWS to update the trust policy.
