AWS IAM role for Server Backup agents
Server Backup data is stored in one or more Amazon S3 buckets in your AWS account. To allow Server Backup agents to access your S3 buckets, you must create an IAM role in your AWS account. Server Backup agents can assume this role and back up data to and restore data from your S3 buckets.
To create the IAM role, we recommend downloading a CloudFormation template from the Management Console and using the template to create a stack in the AWS CloudFormation console. See Setting up Server Backup storage. Alternatively, you can create the IAM role in your AWS account using the AWS Management Console, an IaC product such as Terraform, or another method.
IMPORTANT: If you are an administrator for an MSP or partner with more than one Management Console, and want to use the same AWS account for all of your Server Backup storage, do not download a CloudFormation template when setting up storage in additional consoles or adding S3 buckets. Instead, edit the IAM role trust policy or permissions policy manually. See Using the same storage for multiple Management Consoles and Updating the IAM role for new S3 buckets.
If you add a bucket to your Server Backup storage, you must update the IAM role in your AWS account so that Server Backup agents can back up data to and restore data from the new S3 bucket. See Updating the IAM role for new S3 buckets.
IAM role requirements
The IAM role in your AWS account must meet the following requirements:
-
The role name must be:
ServerBackupAccessRole -
The maximum session duration, in seconds, must be: 21600
-
The trust policy must allow Server Backup agents to assume the ServerBackupAccessRole role in your AWS account. For trust policy requirements in JSON format, see Trust policy.
-
The permissions policy must allow the trusted role to read and write data in the Amazon S3 buckets where you want to store Server Backup data. For required permissions in JSON format, see Permissions policy.
Trust policy
The following trust policy in JSON format is required for Server Backup agents to back up data to and restore data from your Amazon S3 buckets. Server Backup agents are trusted to access your storage and are identified by the "arn:aws:iam:662124509659:role/OpenTextServerBackupAccessAssumeRole" role.
The trust policy must specify the External ID from the Server Backup Guided Setup wizard in the Management Console. In the following example, the External ID is 12345678-abcd-1234-abcd-12345678910a. Replace this value with your External ID from the Server Backup Guided Setup wizard. For more information, see Setting up Server Backup storage.
Copy{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::662124509659:role/OpenTextServerBackupAccessAssumeRole"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "12345678-abcd-1234-abcd-12345678910a"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::662124509659:role/OpenTextServerBackupAccessAssumeRole"
},
"Action": "sts:TagSession"
}
]
}Using the same storage for multiple Management Consoles
If you are an admin for an MSP or partner with more than one Management Console, and want to use the same AWS account for all of your Server Backup storage, only download and use a CloudFormation template to set up storage for the first console. For subsequent consoles, copy the External ID from the Server Backup Guided Setup wizard and manually add it in the IAM role trust policy in your AWS account.
In the following example, the External ID for the second console is 98765432-dcba-9876-dcba-98765432110d.
Copy{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::662124509659:role/OpenTextServerBackupAccessAssumeRole"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": [
"12345678-abcd-1234-abcd-12345678910a",
"98765432-dcba-9876-dcba-98765432110d"
]
}
}
}Permissions policy
The following permissions policy in JSON format is required for Server Backup agents to back up data to and restore data from your Amazon S3 buckets.
The permissions policy must specify the name or each S3 bucket where agents can read and write data. In the following example, the S3 buckets are named "bucket-one" and "bucket-two". Replace these names with your own S3 bucket names.
Copy{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketLevelPermissions",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:ListBucketVersions",
"s3:GetIntelligentTieringConfiguration",
"s3:PutIntelligentTieringConfiguration",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:GetBucketObjectLockConfiguration",
"s3:PutBucketObjectLockConfiguration"
],
"Resource": [
"arn:aws:s3:::bucket-one",
"arn:aws:s3:::bucket-two"
]
},
{
"Sid": "ObjectLevelPermissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectAttributes",
"s3:GetObjectVersion",
"s3:GetObjectVersionAttributes",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:BypassGovernanceRetention",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention"
],
"Resource": [
"arn:aws:s3:::bucket-one/*",
"arn:aws:s3:::bucket-two/*"
]
}
]
}
Updating the IAM role for new S3 buckets
If you add an Amazon S3 bucket to your Server Backup storage, you must update the IAM role in your AWS account so that Server Backup agents can back up data to and restore data from the new S3 bucket. To do this, you can download a CloudFormation template from the Management Console and use the template to update the IAM role in your AWS account. See Adding S3 buckets for Server Backup.
IMPORTANT: If you are an administrator for an MSP or partner with more than one Management Console, and use the same AWS account for all of your Server Backup storage, do not download and use a CloudFormation template when adding S3 buckets in your consoles. Instead, edit the IAM role permissions policy manually, as described below.
You can also manually add the buckets to the two resource lists in the permissions policy. For example, if you add an S3 bucket named "bucket-three", add its name in both resource lists in the permissions policy as shown below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketLevelPermissions",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:ListBucketVersions",
"s3:GetIntelligentTieringConfiguration",
"s3:PutIntelligentTieringConfiguration",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:GetBucketObjectLockConfiguration",
"s3:PutBucketObjectLockConfiguration"
],
"Resource": [
"arn:aws:s3:::bucket-one",
"arn:aws:s3:::bucket-two",
"arn:aws:s3:::bucket-three"
]
},
{
"Sid": "ObjectLevelPermissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectAttributes",
"s3:GetObjectVersion",
"s3:GetObjectVersionAttributes",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:BypassGovernanceRetention",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention"
],
"Resource": [
"arn:aws:s3:::bucket-one/*",
"arn:aws:s3:::bucket-two/*",
"arn:aws:s3:::bucket-three/*"
]
}
]
}