If you selected Create a new IAM Role at the IAM Mode step of the wizard, specify the following settings:
- In the AWS Role Name field, specify the name for the IAM role. The IAM role will be created with the specified name in AWS.
- Under Grant the following permissions, select check boxes next to permission sets that must be granted to the IAM role:
- Service Role — select this check box to grant permissions sufficient to launch worker instances.
- Policy Role — select this check box to grant permissions sufficient to perform EC2 instance backup.
The IAM role with this permission set will allow you to back up any EC2 instance within the AWS account.
- Repository Role — select this check box to grant permissions sufficient to add Amazon S3 buckets as S3 repositories.
The IAM role with this permission set will allow you to add as an S3 repository any Amazon S3 bucket within an AWS account.
If the provided permission sets do not meet your needs, leave check boxes cleared. For example, you may want the IAM role to have permissions only on some EC2 instances, not all EC2 instances within an AWS account. In this case, after the IAM role is created, you can grant the necessary permissions to it in the IAM Management Console manually.
- Provide one-time access keys of an IAM user that is authorized to create IAM roles in an AWS account.
The specified access keys determine in which AWS account the role will be created. For example, if you specify access keys of an IAM user from the initial AWS account, the IAM role will be created in the initial AWS account and will have permissions on AWS services and resources of the initial account.
Note that Veeam Backup for AWS does not store one-time access keys in the configuration database.