> Commvault Cloud > File & Object Storage > Amazon S3 > Configuring Backups

Configuring Backups for Amazon S3 with IAM Role Authentication

You can configure backups for Amazon S3 object storage using IAM role authentication. The configuration wizard guides you through the configuration process, which includes creating any new entities that are needed, such as a plan, an object storage client, and a content group.

Start the Configuration Wizard

  1. From the Command Center navigation pane, go to Protect > Object storage.

    The Object storage page appears.

  2. In the upper-right area of the page, click Add object storage.

    The Configure Object Storage page appears.

  3. Select Amazon S3.

  4. Click Next.

    The Amazon S3 Backup Overview page appears.

  5. Review the information.

  6. Click Next.

    The IAM Role page of the configuration wizard appears.

IAM Role

  1. From the Authentication method list, select IAM role.

  2. Verify an existing MetallicRole IAM role or create a new MetallicRole IAM role:

    • If the MetallicRole IAM role was previously created for another AWS workload, do the following:

      1. Verify that the IAM policies for the AWS workload are still attached to the MetallicRole IAM role.

      2. At the bottom of the page, select the confirmation check box.

      3. Click Next.

        The Region page of the configuration wizard appears.

    • If the MetallicRole IAM role does not exist yet, create it in AWS.

      Steps to create MetallicRole IAM role

      1. Click the Launch CloudFormation Stack link to open the AWS console.

        Important

        If you do not have permission to create a role in the AWS account, copy the Launch CloudFormation Stack link and share it with your AWS IAM administrator.

      2. Log on to the AWS console.

        The Quick create stack page appears.

      3. Under Capabilities, read the information about the template, and then select the acknowledgment check box.

      4. Click Create stack.

        Wait for the CloudFormation Stack to finish creating the MetallicRole IAM Role. The CloudFormation Stack creates IAM policies for all supported AWS workloads, and then attaches the policies to MetallicRole.

      5. Return to the Commvault Cloud configuration wizard.

      6. At the bottom of the page, select the confirmation check box.

      7. Click Next.

        The Region page of the configuration wizard appears.

Region

  1. Select the region that the object storage resides in.

  2. Click Next.

    The Backup Gateway page of the configuration wizard appears.

Backup Gateway

A backup gateway is required to back up instances without egress charges.

  1. Select one or more existing backup gateways or an existing gateway group, or create a new backup gateway.

    Steps to create a backup gateway

    1. Click the add button add/plus button - gray - no border.

      The Add a new backup gateway dialog box appears.

    2. For Platform, select the OS for the backup gateway.

    3. Click Generate link.

      An AWS CloudFormation template is created based on the region and the operating system that you selected.

    4. Click the Launch CloudFormation Template link to open the AWS console.

    5. Log on to the AWS console.

      The Quick create stack page appears.

    6. Under Parameters, enter the following information:

      1. From the EC2 Instance Type list, select the type of EC2 instance to use for the backup gateway.

      2. From the EC2 Key Pair list, select a key pair to use to access the Commvault Cloud backup gateway.

      3. From the VPC ID list, select an Amazon Virtual Private Cloud (VPC).

      4. From the Subnet ID list, select a subnet.

      5. From the VPC CIDR list, select a VPC CIDR.

      Note

      Port 8403 opens on backup gateways only when the request comes from the IP ranges that are listed in the VPC CIDR field.

    7. Click Create stack.

      Wait for the Commvault Cloud backup gateway to be created.

    8. Return to the Commvault Cloud configuration wizard.

    9. Refresh the list of backup gateways, and then select the backup gateway that you created.

    Note

    • The gateways must be of similar operating system type.

    • To use a gateway group, the region must already be configured on the gateway group.

    • All gateways in the gateway group must be reachable through network routes.

  2. Click Next.

    The Cloud Storage page of the configuration wizard appears.

Cloud Storage

To review the supported combinations of primary and secondary storage, see Commvault Cloud Storage Options.

Primary Copy

  1. For the primary copy of the backup data, select an existing S3 storage bucket or create a new S3 storage bucket.

    Steps to create storage for the primary copy

    1. Click the add button add/plus button - gray - no border.

      The Add cloud storage dialog box appears.

    2. In Name, enter a descriptive name for the cloud storage.

    3. For Authentication, select the authentication type that you want to use.

      Authentication type

      Values to enter

      Access keys and secret keys

      In Access key ID, enter the access key ID.

      In Secret access key, enter the secret access key.

      IAM role

      None

      STS assume role with IAM role

      In ARN role, enter the ARN.

    4. In Bucket, enter the Amazon S3 bucket name.

      For example, enter bucket_name, with no slash.

    5. For Storage Class, select the storage class for the type of access that you want to have for the data.

    6. Click Save.

  2. Click Next.

Secondary Copy

  1. Decide whether to store a secondary copy of the backup data for long-term retention.

    Steps to create storage for a secondary copy

    1. Move the Secondary copy toggle key to the right.

    2. For Storage location, select an existing storage location or create a new storage location.

      To create a storage location, do the following:

      1. Click the add button add/plus button - gray - no border.

        The Add cloud storage dialog box appears.

      2. From the Type list, select Air Gap Protect, Oracle Cloud Infrastructure Object Storage, or Amazon S3.

        • If you select Air Gap Protect, do the following:

          1. From the Cloud storage provider list, select the provider.

          2. From the Storage class list, select the storage class for the type of access that you want to have for the data.

          3. From the Region list, select the region.

        • If you select Oracle Cloud Infrastructure Object Storage, do the following:

          1. In the Name box, enter a name for the cloud storage.

          2. From the Storage class list, select the storage class for the type of access that you want to have for the data.

          3. From the Region list, select the storage region.

          4. From the Credentials list, select existing credentials or create new credentials.

          5. To create credentials, click the add button add/plus button - gray - no border.

            The Add credential dialog box appears.

          6. Enter values for the authentication method that you are using:

            • Credential name: Enter a name for the credentials that you are creating.

            • Tenancy OCID: Enter the Tenancy Oracle Cloud Identifier (OCID).

            • User OCID: Enter the user's OCID for a user that has permission to connect to the Oracle web console.

            • Fingerprint: Enter the fingerprint of the private key.

            • Private key: Click Upload to upload the private key.

            • Private key’s password: Enter the password associated with the private key.

            • Description: Enter a description of the credentials.

          7. In the Compartment name box, enter a name for the compartment.

          8. In the Bucket box, enter the bucket name.

        • If you select Amazon S3, do the following:

          1. In the Name box, enter a name for the cloud storage.

          2. From the Storage class list, select the storage class for the type of access that you want to have for the data.

          3. From the Region list, select the storage region.

            Note

            The Commvault Cloud software populates the Service host box with the default value.

          4. From the Authentication list, select the type of the authentication to use.

          5. If you select Access and secret keys, do the following:

            1. From the Credentials list, select existing credentials or create new credentials

            2. To create credentials, click the add button add/plus button - gray - no border.

              The Add credential dialog box appears.

            3. Enter values for the authentication method that you are using:

              • Credential name: Enter a name for the credentials that you are creating.

              • Access key ID: Enter the access key ID.

              • Secret access key: Enter the secret key.

              • Description: Enter a description for the credentials.

          6. If you select STS assume role, do the following:

            1. In the ARN role box, enter the full IAM role Amazon Resource Name (ARN).

            2. Enter values for the authentication method that you are using.

              • Credential name: Enter a name for the credentials that you are creating.

              • Access key ID: Enter the access key ID.

              • Secret access key: Enter the secret key.

              • Description: Enter a description for the credentials.

          7. If you select STS assume role with IAM role, enter the following:

            • Credential name: Enter a name for the credentials that you are creating.

            • Role ARN: Enter the full IAM role ARN.

            • Description: Enter a description for the credentials.

          8. In the Bucket box, enter the Amazon S3 bucket name.

      3. Click Save.

  2. Click Next.

    The Plan page of the configuration wizard appears.

Plan

A plan specifies the storage to back up the data to and other settings such as recovery point objective (RPO) settings.

The data is backed up to the primary copy, and then to the secondary copy only if an auxiliary copy job is run. The data will be retained based on the retention settings.

  1. Select an existing plan or create a new plan.

    Steps to create a plan

    1. Click the add button add/plus button - gray - no border.

      The Add plan dialog box appears.

    2. In the Plan name box, enter a descriptive name for the plan.

    3. For the plan settings, select pre-defined settings or create custom settings:

      • To select pre-defined settings, under Retention rules, select one of the following:

        • Select Standard retention to retain the incremental backups for 1 month.

        • Select Extended retention for optimized storage where the incremental backups of primary and secondary copies are retained for 1 month, and extended retention for monthly and yearly full backups.

          Note

          The Extended retention option is available only when the secondary copy backup is selected.

      • To create custom settings, select Custom plan, and then specify the following:

        • For Retention, specify the amount of time to retain the backup jobs.

        • For Retention monthly full (Secondary copy), specify the amount of time to retain the monthly full backup on secondary copy.

        • For Retention yearly full (Secondary copy), specify the amount of time to retain the yearly full backup on secondary copy.

        • For Backups run every, specify how often to run backups.

    4. Click Done.

  2. Click Next.

    The Add Object Storage page of the configuration wizard appears.

Add Object Storage

  1. In Object storage name, enter a descriptive name for the object storage client.

  2. In Host URL, enter the service account URL.

  3. Click Next.

    The Backup Content page of the configuration wizard appears.

Backup Content

You can add content by browsing, by selecting all the content, and by entering a custom path.

  1. To browse for content, do the following:

    1. Click Add, and then select Browse.

      The Add content dialog box appears.

    2. Select the content.

    3. Click Save.

  2. To select all content, click Add, and then select Select All.

  3. To enter a custom path, do the following:

    1. Click Add, and then select Custom Path.

    2. In Enter custom path, enter the custom path for the content.

      For example, you can enter /bucket_name.

  4. To exclude some of the content you selected, move the Specify exclusion toggle key to the right, and then add the exclusion.

  5. To include some of the content that you excluded, move the Specify inclusion toggle key to the right, and then add the inclusion.

  6. To back up the object-level ACLs, move the Back up ACL toggle key to the right.

  7. Click Next.

    The Summary page of the configuration wizard appears.

Summary

  1. Review the summary.

  2. Click Finish.

Loading...