You can configure a virtualization client (hypervisor) for Amazon Web Services (AWS) for STS role authentication with tenant account ARN, if the access node is in the Amazon admin account and the guest instance is in the Amazon tenant account.
Available Features
-
Streaming backups.
-
Full instance restores.
-
Attach volume to an existing instance or a new instance.
-
Live browse and guest file-level restores, agentless restores, and download of files.
-
IntelliSnap backups.
-
File indexing.
-
Automatic scaling of access nodes.
Before You Begin
The access node must have access to the regional and global STS endpoints. For more information about AWS service endpoints, see AWS service endpoints on the AWS documentation site.
-
Global STS endpoints: The service endpoint is https://sts.amazonaws.com.
-
Regional STS endpoints: For example, https://sts.us-east-1.amazonaws.com, to back up instances on us-east-1.
For more information about STS endpoints and quotas, see AWS Security Token Service endpoints and quotas on the AWS documentation site.
Procedure
-
In the AWS console, from the admin account, create an IAM role (for example, vsa_assume_role) and attach policy with the sts:AssumeRole permission, and then assign the role to the VSA access node.
For more information about assigning Amazon user permissions by creating a policy, see Overview of IAM Policies on the AWS documentation site.
-
From the tenant account, create another IAM role (for example, vsa_role), and attach the policy required for backup and restore operation.
Download the amazon_restricted_role_permissions.json file.
-
Add the admin account ID as trusted entity in the role created in step 2 in the tenant account.
For more information about editing trust relationships, see Modifying a Role Trust Policy on the AWS documentation site.
What to Do Next
Provide the tenant account role ARN (vsa_role) at the time of adding an Amazon hypervisor, see Creating an Amazon Client.