This should help to answer any questions - Worker Instances - Veeam Backup for AWS Guide
Do not use AWS myself so cannot comment.
Thanks guys, I have it working fine but I’m just curious how it works - how are the worker instances in the production account allowed to access the Veeam repository S3 bucket in the backup account (it’s a separate AWS account) - what’s at play here? IAM roles, Veeam magic?
Gateway endpoints.
With a gateway endpoint, you can access Amazon S3 from your VPC, without requiring an internet gateway or NAT device for your VPC, and with no additional cost. However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. For more information, see Types of VPC endpoints for Amazon S3 in the Amazon S3 User Guide.
Thanks guys, I have it working fine but I’m just curious how it works - how are the worker instances in the production account allowed to access the Veeam repository S3 bucket in the backup account (it’s a separate AWS account) - what’s at play here? IAM roles, Veeam magic?
I would say both IAM roles as well as Veeam components helping to access it.
The Worker access via public address (if it's a public deployment) or via VPC Endpoint (if it's a Private Network Deployment)
The Worker has the instance profile associated with the EC2 instance during the backup, so it has the permissions to access the S3 bucket during the backup and perform all other operations needed.
The EC2 instance profile attached to the worker instances in the production account is very general, how is it allowed access to the S3 bucket in the backup account? Is the trust policy attached to the instance profile the answer?
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXX:role/vaws1-VeeamImpersonationRoleV1-XXXXXXXXX"
},
"Action": "sts:AssumeRole",
Yeh, exactly
The IAM Role on production account has permission to assume role.
We have this explained here: https://helpcenter.veeam.com/docs/vbaws/guide/byb_roles.html?ver=80
Yeh, exactly
The IAM Role on production account has permission to assume role.
We have this explained here: https://helpcenter.veeam.com/docs/vbaws/guide/byb_roles.html?ver=80
Sorry still confused, so the worker instance in the production account assumes the role but nowhere in the role’s permisions does it state it has access to the S3 bucket in the backup account?
I think I found the answer; because the worker instance is connected to a VPC subnet shared from the backup account, I’m using S3 VPC interface endpoint in the backup account, and the EC2 image profile of the worker instance includes s3:* permission, the worker instance in the production account is permitted access to the S3 bucket in the backup account (it does not have a bucket policy and the S3 VPC interface endpoint is allowing connections from the shared subnet). Does that make sense?
I think I found the answer; because the worker instance is connected to a VPC subnet shared from the backup account, I’m using S3 VPC interface endpoint in the backup account, and the EC2 image profile of the worker instance includes s3:* permission, the worker instance in the production account is permitted access to the S3 bucket in the backup account (it does not have a bucket policy and the S3 VPC interface endpoint is allowing connections from the shared subnet). Does that make sense?
That makes perfect sense. Glad you found the answer.
