Skip to main content
Druva Documentation

Create IAM policies and roles

Phoenix Editions: File:/cross.pngBusiness         File:/tick.png Enterprise     File:/tick.pngElite
(Purchase Separately)

This section provides the steps to create IAM Policies and Roles on the AWS console. The VMimport Policy defines the trusted permission attributes to import virtual machine images from the virtual environment to Amazon EC2, as AMIs. The VMimport Role allows access to Amazon EC2 for creating AMI in the AWS account. The IAM Policy allows you to define permissions for users, groups, roles, and resources. The IAM Role provides access capabilities to the AWS users. Establishing trust relationship for VM import Role allows trusted entities to assume the role and access conditions for the role.

Step 1: Create VMimport Policy to access data backup

Before you create a VMimport Policy, ensure that you have downloaded the policy and saved it on the machine. For more information, see Download policies.

Procedure

  1. Log into the AWS account. 
  2. Under the Security, Identity & Compliance section, click IAM.
  3. On the left pane of the Welcome to Identity and Access Management page, click Policies.
  4. On the top-left corner of the page, click Create Policy.
  5. On the Create Policy page, select the JSON tab. 
  6. In the JSON tab, copy-paste the policy_vmimport.json policy. For more information, see Download policies.
    DRaaS-Policy-New.PNG
  7. After you copy-paste the JSON policy, click Review policy
  8. On the Review Policy page, add the following details:
    • Name: A unique policy name.
    • Description: A description of the added policy.
    • Summary: Review the permissions that your policy grants. 
  9. Click Create Policy.

Step 2: Create VMimport Role to access AWS

The VMimport role is the cross-account role required by the VMimport utility in AWS. It needs Phoenix storage read-only and EC2 snapshot-level access. The VMimport role will give access to "vmie.amazonaws.com" service of AWS to create AMI in the account.

 You must create a role with the name “vmimport” with vmimport permission policy and vmimport trust policy.

Before you create a VMimport Role, ensure that you have created the VMimport policy. For more information, see Create VMimport Policy.

Procedure

  1. On the AWS console, under the Security, Identity & Compliance section, click IAM.
  2. On the left pane of the Welcome to Identity and Access Management page, click Roles.
  3. On the Roles page, click Create role.
  4. In the Select type of trusted entity section of the Create role wizard, select AWS service > EC2, and then click Next: Permissions.
    DRaaS-role-new.png
  5. In the Attach permissions policies section, select the VMimport Policy that you created in Step 1, and click Next: Review.
    vm-import.png
  6. In the Review section, enter vmimport in the Role name box, verify the role information, and click Create role

Step 3: Create IAM Policy to access AWS resources

You must create an IAM Policy to access to AWS resources. Before you create an IAM Policy, ensure that you have downloaded the policy files and saved the files on the machine. For more information, see Download policies.

Procedure

  1. Log into the AWS account. 
  2. Under the Security, Identity & Compliance section, click IAM.
  3. On the left pane of the Welcome to Identity and Access Management page, click Policies.
  4. On the top-left corner of the page, click Create Policy.
  5. On the Create Policy page, select the JSON tab. 
  6. In the JSON tab, copy-paste the policy_dr_proxy.json policy. For more information, see Download policies.
  7. After you copy-paste the JSON policy, click Review policy
  8. In the Review policy section, add the following details:
    • Policy Name: A unique IAM Policy name.
    • Description: A description of the added policy.
    • Summary: Review the permissions that your policy grants. 
  9. Click Create Policy.

Step 4: Create IAM Role for Phoenix AWS Proxy

The IAM Role ensures that the Phoenix AWS proxy has sufficient privileges to import data from the Druva account to the account and create an AMI. The IAM Role requires read and write permissions for Phoenix storage and EC2 to create and maintain machine images in the account. The IAM Role should also have read permission to access data on the Druva account. 

Note: Role with the required policy must be attached to the Phoenix AWS proxy.

Before you create an IAM Role, ensure that you have created the IAM Policy. For more information, see Create IAM Policy.

Procedure

  1. On the AWS console, under the Security, Identity & Compliance section, click IAM.
  2. On the left pane of the Welcome to Identity and Access Management page, click Roles.
  3. On the Roles page, click Create role.
  4. In the Select type of trusted entity section of the Create role wizard, select AWS service > EC2, and then click Next: Permissions.
  5. In the Attach permissions policies section, select the Phoenix AWS proxy policy that you created in Step 3, and click Next: Review.
  6. In the Review section, enter a unique name for the disaster recovery role in the Role name box, verify the role information, and click Create role

The created role gets listed on the Configure Instance Details page.

Step 5: Establish trust relationship for VM import Role

Before you establish trust relationship for VM import role, ensure the following:

Procedure

  1. On the AWS console, under the Security, Identity & Compliance section, click IAM.
  2. On the left pane of the Welcome to Identity and Access Management page, click Roles.
  3. On the Roles page, click the VMimport role you have created.
  4. On the Summary page, click the Trust Relationships tab.
  5. Click Edit Trust Relationship.
  6. On the Edit Trust Relationship page, copy paste the VM trust policy (policy_vmimport_trust.json) in the Policy Document box.
  7. Click Update Trust Policy.
  • Was this article helpful?