To register an AWS account and protect workloads running in it, Phoenix requires an Identity Access Management (IAM) role. The IAM role lets Phoenix access your AWS account and create backups of workloads running in it. To create an IAM role for Phoenix, Druva provides a CloudFormation template that is used to create a CloudFormation stack. The CloudFormation stack creates the IAM role that Phoenix requires. The Amazon Resource Name (ARN) of the IAM role is attached to Phoenix so that it can run backup and restore jobs in your AWS account.
The following steps describe how to register an AWS account using the CloudFormation template:
- Log in to the Phoenix Management Console.
- From the top menu, select an Organization under which you want to register your AWS account.
- After you select an Organization, click Protect > AWS Resources on the top menu.
- On the AWS Resources page, click Add AWS Account.
- On the Add AWS Account page, click the button on the Create AWS Access Role field to copy the S3 URL that points to the location of the CloudFormation template.
Note: You cannot use this URL to register an AWS account in another Organization. This URL is tied to the Organization under which it was generated.
- After you copy the S3 URL, sign in to the AWS Management Console.
- Use the Find Services field on the AWS Management Console to search and select CloudFormation.
- On the CloudFormation Stacks page, click Create new stack.
- In the Specify Template section of the Create stack wizard, select Amazon S3 URL under Template source, paste the CloudFormation template URL that you copied in step 5 and then click Next.
- In the Specify stack details section, provide a name for the stack and click Next. Use a name that can identify the purpose of the stack. For example, Phoenix-access.
- In the Configure stack options section, scroll down to the bottom and click Next.
- In the Review section, scroll down to the bottom, enable I acknowledge that AWS CloudFormation might create IAM resources with custom names, and then click Create stack.
- After you click Create, Amazon creates a stack with the name you provide in step 10. The status of the stack shows CREATE_IN_PROGRESS for a while.
Refresh the page until it shows CREATE_COMPLETE.
- Copy the ARN (Amazon Resource Name) from the Outputs tab after the status changes to CREATE_COMPLETE.
- Navigate back to the Phoenix Management Console, paste this ARN in Phoenix Role ARN field of the Add AWS Account page, and then click Save.
After the account is registered, Phoenix detects the workloads running in your AWS account and the accounts page appears with the registered AWS account listed on it. You can select the account and click Edit to change the name of the account. Click the AWS account name to open the Resources page that lists resources that Phoenix can backup. If you want to register another account, perform the steps above for that account.