Step 4. Specify Restore Settings
At the Account step of the wizard, choose whether you want to use an IAM role or one-time access keys of an IAM user to allow Veeam Backup for AWS to perform the restore operation, and whether you want Veeam Backup for AWS to deploy worker instances in the production account.
Make sure that the specified IAM role or one-time access keys belong to an AWS account to which you plan to restore EBS volumes.
To specify an IAM role, select the IAM role option and choose the necessary IAM role from the list.
For an IAM role to be displayed in the IAM Role list, it must be assigned permissions listed in section EC2 Restore IAM Permissions and added to Veeam Backup for AWS, as described in section Adding IAM Roles. If you have not added the necessary IAM role to Veeam Backup for AWS beforehand, you can do it without closing the Volume Restore wizard. To add an IAM role, click Add and complete the Add IAM Role wizard.
It is recommended that you check whether the selected IAM role has all the required permissions to perform the operation. If the IAM role permissions are insufficient, the restore operation will fail to complete successfully. To run the IAM role permission check, click Check Permissions and follow the instructions provided in section Checking IAM Role Permissions.
To specify one-time access keys, select the Temporary access keys option, and use the Access key and Secret key fields to provide the access key ID and the secret access key.
Veeam Backup for AWS does not store one-time access keys in the configuration database.
[This option applies only if you restore volumes from image-level backups and have selected the IAM role option]
By default, Veeam Backup for AWS launches worker instances used to perform restore operations in the backup account. However, you can instruct Veeam Backup for AWS to launch worker instances in a production account — that is, an account to which the volumes will be restored. To do that, set the Deploy workers in production account toggle to On, and specify an IAM role that will be attached to the worker instances and used by Veeam Backup for AWS to communicate with these instances. The specified IAM role must belong to the same account to which the IAM role specified to perform the restore operation belongs.
For an IAM role to be displayed in the IAM role list, it must be assigned permissions listed in section Worker IAM Role Permissions and must be added to Veeam Backup for AWS, as described in section Adding IAM Roles. If you have not added the necessary IAM role to Veeam Backup for AWS beforehand, you can do it without closing the Add Policy wizard. To add an IAM role, click Add and complete the Add IAM Role wizard.
If you instruct Veeam Backup for AWS to deploy worker instances in production accounts, you must assign additional permissions to the IAM role used to perform the restore operation. For more information on the required permissions, see EC2 Restore IAM Permissions.