Updating IAM Roles

When you update the backup appliance to a newer version, the improvements and new features instantly become available in Veeam Backup for AWS. However, to meet new requirements, IAM roles must be assigned missing permissions manually either using the Veeam Backup for AWS UI or the AWS Management Console.

Updating Custom IAM Role

To update the custom IAM role, run a permission check for this role at the IAM Roles tab as described in section Checking IAM Role Permissions. Veeam Backup for AWS will verify whether the IAM role is specified in any backup policy, repository or worker settings and check if all the permissions required to perform these operations are assigned to the role. If some of the permissions are missing, you will receive a warning in the AWS Permission Check window. You can grant the missing permissions to the IAM role using the AWS Management Console or instruct Veeam Backup for AWS to do it. To learn how to grant permissions to IAM roles using the AWS Management Console, see AWS Documentation.

Note

The permission check at the IAM Roles tab verifies only permissions of roles that are currently used by Veeam Backup for AWS. Permissions of IAM roles that are not specified in any settings on the backup appliance and are not used to perform any operations are not checked. That is why it is recommended that you additionally verify IAM role permissions using the built-in wizard permission check when specifying a role for the operation.

Updating Default Backup Restore IAM Role

After every product update, Veeam Backup for AWS checks if the Default Backup Restore IAM role created while installing the solution has all necessary permissions to perform backup and restore operations. If some of the permissions are missing, you will receive a warning in the notification area. For more information on permissions required for the Default Backup Restore IAM role after you update Veeam Backup for AWS to version 7.0, see Full List of IAM Permissions.

You can update the Default Backup Restore IAM role using the AWS Management Console or instruct Veeam Backup for AWS to do it:

  1. Click the warning.
  2. In the IAM Roles Update window, provide one-time access keys of an IAM user that is authorized to update permissions of IAM roles, and then click Apply.

The IAM user must have the following permissions:

"iam:AttachRolePolicy",

"iam:CreatePolicy",

"iam:CreatePolicyVersion",

"iam:CreateRole",

"iam:GetAccountSummary",

"iam:GetPolicy",

"iam:GetPolicyVersion",

"iam:GetRole",

"iam:ListAttachedRolePolicies",

"iam:ListPolicyVersions",

"iam:SimulatePrincipalPolicy",

"iam:UpdateAssumeRolePolicy"

Note

Veeam Backup for AWS does not store one-time access keys in the configuration database.

  1. To make sure that the missing permissions have been successfully granted, navigate to Accounts > IAM Roles, select the Default Backup Restore IAM role and click Check AWS Permissions.

Updating IAM Roles