Hey everyone,
In this topic, I will cover the steps needed to configure the Veeam Backup for AWS to deploy the Workers in the Production account, in some scenarios (well done!) we have the backup appliance located in a different account.
Deploying the workers in the production account becomes useful when the EBS volumes of the protected instances are encrypted with the default KMS key (aws/ebs) of said account.
To begin with, the first thing we need to do is create an IAM Role in the Production account (where your instances reside)
Important information, we will be calling “Production Account” the account where the instances reside, and the “Backup Account” the account where the VB for AWS resides.
Log into the AWS portal of the Production account:
Click on Roles
Then Create role
Select Custom trust policy option
In the JSON policy we will need to specify the IAM role attached to the VB for AWS appliance in the Backup Account, allowing it to assume the role we are creating now.
The first SID, highlighted in red is allowing the backup appliance role to assume this role, the ExternalId is a mandatory field when adding this role to the VB for AWS, you can choose another passkey.
The Second SID highlighted in blue, is to allow the workers that will be deployed on demand (when you start a backup policy) to assume this role.
Note: to get the IAM role attached to the VB for AWS appliance, you need to go to the account where the appliance is deployed, EC2, select the VB for AWS EC2 and click on Security tab.
Example JSON for your refence:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "vbawscrossaccount",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxxx:role/role_name_here"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "p@ssw0rd"
}
}
},
{
"Sid": "vbawsworker",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}Click Next
It is time to grant the needed permissions to this role to perform the tasks.
If you have the policy created with the permissions, just select it from the list. If you still need to create the policy, click on Create Policy.
In the Specify Permissions page, select JSON
You can find the list of needed permissions here and here.
Choose a name and description (optional), associate tags if you need and click Create policy.
Go to the tab with the IAM role creation and hit the refresh button, search for the policy you just created and select its checkbox. Click Next
Give your role a name, description and tags just like with the policy and click Create Role.
This popup will show up
To be able to attach an IAM role to an EC2 instance we need to associate an Instance Profile to the IAM role.
The easiest way to create an instance profile in my opinion is via AWS CLI.
Here is an AWS guide to help you setting up the AWS CLI properly:
The command to create the instance profile will be:
aws iam create-instance-profile –-instance-profile-name <instanceprofilename>
Now we need to associate the created instance profile to the IAM role.
aws iam add-role-to-instance-profile --instance-profile-name <instanceprofilename> --role-name <iamRoleName>
To make sure the role was added you can use:
Aws iam list-instance-profiles-for-role –role-name <iamRoleName>
We are finally adding this role to the VB for AWS now.
Click on Configuration, Accounts, +Add:
Give the account a name (not necessarily the same as the AWS role)
Select IAM role from another account option and fill the information, now it is time to use the ExternalId we chose during role creation, click next.
Click finish.
Let’s create a new backup policy to protect the instances in the production account.
I will not cover the policy creation on this topic, but you can refer to this page on Veeam Backup for AWS user guide.
However, I want to show you that in the Targets section of backup policy creation, you will be able to enable the Deploy Workers in production account option, and check permissions. In case you are missing some permission it will be possible to see which ones and fix from this page.
If you see the following message when clicking finish on your backup policy creation, means that you need to add the Worker network settings.
Still within Configuration page, select Workers > Production Accounts > +Add
Please refer to the user guide if you need help configuring it.
From this point, the backup policy with the Deploy workers to production account set to on, will deploy the workers in the same account as the protected instances.
All these steps do not apply if you use the VB for AWS appliance in the same AWS account as your workload.
I hope it was helpful!
See you later!
