Skip to main content

 

Druva Documentation

Create IAM Policies and Roles

Phoenix Editions: File:/cross.pngBusiness         File:/tick.png Enterprise     File:/tick.pngElite
(Purchase Separately)

This section provides the steps to create IAM Policies and Roles on the AWS console. IAM Policy allows you to define permissions for users, groups, roles, and resources. IAM Role provides access capabilities to the AWS users. VMimport Policy defines the trusted permission attributes to import virtual machine images from your virtual environment to Amazon EC2, as AMIs. VMimport Role allows access to Amazon EC2 for creating AMI in your AWS account. Establishing trust relationship for VM import Role allows trusted entities to assume the role and access conditions for the role.

Step 1: Create IAM Policy

You must create IAM Policy to allow access to AWS resources. Before you create an IAM Policy, ensure that you have downloaded the policy files and saved them on your machine. For more information, see Download policies.

Procedure

  1. Log into your AWS account. 
  2. Click the Services tab. 
  3. Under Security, Identity & Compliance section, click IAM.
  4. On the left pane of the Welcome to Identity and Access Management page, click Policies.
  5. On the top-left corner of the page, click Create Policy.
  6. On the Create Policy page, select Create Your Own Policy.
  7. On the Review Policy page, add the following details:
    • Policy Name: A unique IAM Policy name.
    • Description: A description about the new added policy.
    • Policy Document: The policy files that you have downloaded and saved on your machine. In the Policy Document box, copy paste the policy_dr_proxy.json. For more information, see Download policies.
  8. Click Create Policy.

Step 2: Create IAM Role

The IAM Role ensures Phoenix AWS Proxy has sufficient privileges to import data from Druva account to your account and create an AMI. The IAM Role requires read/write access for Phoenix storage and EC2 to create and maintain machine images in your account. The IAM Role should also have read access for your data on Druva account. 

Note: Role with required policy must be attached to Phoenix AWS Proxy.

Before you create an IAM Role, ensure that you have created the IAM Policy. For more information, see Create IAM Policy.

Procedure

  1. On the AWS console, click the Services tab. 
  2. Under the Security, Identity & Compliance section, click IAM.
  3. On the left pane of the Welcome to Identity and Access Management page, click Roles.
  4. On the top-left corner of the page, click Create new role.
  5. On the Select role type page, click AWS Service Role, and then click Select against the Amazon EC2 option.
  6. Click Next Step.
  7. On the Attach Policy page, select the IAM policy you have created.
  8. Click Next Step.
  9. On the Set role name and review page, in the Role name box, enter a unique name to the DR role.
  10. Verify the role information.

    You can edit the role name and change the IAM Policy applied to the role.
  11. Click Create role.

The created role gets listed on the Configure Instance Details page.

Step 3: Create VMimport Policy

Before you create a VMimport Policy, ensure that you have downloaded the policy and saved it on your machine. For more information, see Download policies.

Procedure

  1. On the AWS console, click the Services tab. 
  2. Under the Security, Identity & Compliance section, click IAM.
  3. On the left pane of the Welcome to Identity and Access Management page, click Policies.
  4. On the top-left corner of the page, click Create Policy.
  5. On the Create Policy page, select Create Your Own Policy.
  6. On the Review Policy page, add the following details:
    • Policy Name: A unique policy name.
    • Description: A description about the new added policy.
    • Policy Document: The policy file that you have downloaded and saved on your machine. In the Policy Document box, copy paste the policy_vmimport.json policy. For more information, see Download policies.
  7. Click Create Policy.

Step 4: Create VMimport Role

The VMimport role is the cross account role required by the VMimport utility in AWS. It needs Phoenix storage read-only and EC2 snapshot-level access. The VMimport role will give access to "vmie.amazonaws.com" service of AWS to create AMI in your account.

Note: You must create a role with the name “vmimport” with vmimport permission policy and vmimport trust policy.

Before you create a VMimport Role, ensure that you have created the VMimport policy. For more information, see Create VMimport Policy.

Procedure

  1. On the AWS console, click the Services tab. 
  2. Under the Security, Identity & Compliance section, click IAM.
  3. On the left pane of the Welcome to Identity and Access Management page, click Roles.
  4. On the top-left corner of the page, click Create new role.
  5. On the Select role type page, click AWS Service Role, and then click Select against the Amazon EC2 option.
  6. Click Next Step.
  7. On the Attach Policy page, select the VMimport Policy you have created.
  8. Click Next Step.
  9. On the Set role name and review page, in the Role name box, create a  VM role with the name "vmimport".
  10. Verify the role information.

    You can edit the role name and attach a different policy to the role.
  11. Click Create Role.

Step 5: Establish trust relationship for VM import Role

Before you establish trust relationship for VM import role, ensure the following:

Procedure

  1. On the AWS console, click the Services tab. 
  2. Under the Security, Identity & Compliance section, click IAM.
  3. On the left pane of the Welcome to Identity and Access Management page, click Roles.
  4. On the Roles page, click the VMimport role you have created.
  5. On the Summary page, click the Trust Relationships tab.
  6. Click Edit Trust Relationship.
  7. On the Edit Trust Relationship page, copy paste the VM trust policy (policy_vmimport_trust.json) in the Policy Document box.
  8. Click Update Trust Policy.
  • Was this article helpful?