Updating IAM Roles

In this article

    When you update the backup appliance to a newer version, the improvements and new features instantly become available in Veeam Backup for AWS. However, to meet new requirements, IAM roles must be assigned missing permissions manually either using the Veeam Backup for AWS UI or the AWS Management Console.

    Updating Default Backup Restore IAM Role

    After every product update, Veeam Backup for AWS checks if the Default Backup Restore IAM role created while installing the solution has all necessary permissions to perform backup and restore operations. If some of the permissions are missing, you will receive a warning in the notification area. For more information on permissions required for the Default Backup Restore IAM role after you update Veeam Backup for AWS to version 4.0, see Full List of IAM Permissions.

    You can update the Default Backup Restore IAM role using the IAM Management Console or instruct Veeam Backup for AWS to do it. To learn how to grant permissions to an IAM Role using the IAM Management Console, see AWS Documentation.

    To instruct Veeam Backup for AWS to automatically grant the missing permissions to the Default Backup Restore IAM role, do the following:

    1. Click the warning.
    2. In the IAM Roles Update window, provide one-time access keys of an IAM user that is authorized to update permissions of IAM roles, and then click Apply.

    The IAM user must have the following permissions:

    "iam:CreatePolicy",

    "iam:GetRole",

    "iam:GetPolicy",

    "iam:AttachRolePolicy"

    Note

    Veeam Backup for AWS does not store one-time access keys in the configuration database.

    1. To make sure that the missing permissions have been successfully granted, navigate to Accounts > IAM Roles, select the Default Backup Restore IAM role and click Check AWS Permissions.

    Updating IAM Roles 

    Updating Custom IAM Role

    To update the custom IAM role, run a permission check for this role at the IAM Roles page as described in section Checking IAM Role Permissions.  If some of the permissions are missing, you will receive a warning in the AWS Permission Check window. You can grant the missing permissions to the IAM role using the IAM Management Console or instruct Veeam Backup for AWS to do it. To learn how to grant permissions to an IAM role using the IAM Management Console, see AWS Documentation.