- Notes, cautions, and warnings
- Revision history
- Preface
- Getting Started
- Introducing DDVE
- Deploying DDVE
- Completing Initial DDVE Configuration
- Administering DDVE
- Best Practices for Working with DDVE in the Cloud
- Networking Best Practices for DDVE in the Cloud
- Installing and Configuring DDVE on Block Storage in the Cloud
Dell EMC PowerProtect DDVE on Amazon Web Services 7.9 Installation and Administration Guide
Set up role-based access to the AWS object store
Object store in AWS uses role-based access for S3 access. To access the S3 bucket, create and attach the Identity and Access Management (IAM) role to DDVE.
Prerequisites
To create the IAM role and the policy that is associated with the role, the AWS user must have the necessary IAM privileges. The following IAM privileges and actions are required to create and attach the IAM role:
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:UpdateRolePolicy",
"iam:CreateInstanceProfile",
"iam:PutRolePolicy",
"iam:DeleteInstanceProfile"
About this task
When the role is attached to DDVE, the S3 object store credentials are automatically fetched. The AWS infrastructure periodically rotates the access credentials. The DDVE automatically fetches the new credentials before the old credentials expire.
Steps
- Create the policy to attach with the IAM role:
- Sign in to the AWS Management Console and open the IAM Service Console.
- In the navigation pane of the IAM console, select .
- Do one of the following:
- Create a policy for AWS Standard Cloud:
In the Create policy web page, select the JSON tab. Replace the text under the JSON tab with the following content. Replace my-bucket-name with the name of the bucket that you created in Create an S3 bucket.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::my-bucket-name", "arn:aws:s3:::my-bucket-name/*" ] } ] } - Create a policy for AWS Gov Cloud:
In the Create policy web page, select the JSON tab. Replace the text under the JSON tab with the following content. Replace my-bucket-name with the name of the bucket that you created in Create an S3 bucket. For the resource tag below, use arn:aws-us-gov:s3:::my-bucket-name for AWS Gov clouds.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws-us-gov:s3:::my-bucket-name", "arn:aws-us-gov:s3:::my-bucket-name/*" ] } ] }
- Create a policy for AWS Standard Cloud:
- Verify this information, and then click Review policy.
- Provide a name and description for the policy, and click
Create policy.
NOTE Make a note of the policy name. It will be used to attach the policy to the role in the next step.
- Create the role for S3 bucket access:
- In the navigation pane of the IAM console, select .
- On the
Create role page:
- For Select type of trusted entity, select AWS service.
- For Choose the service that will use this role, select EC2, and then click Next Permissions.
- On the
Attach permissions policies page, select the policy that you created in the previous step. Select
Next Tags to create a tag for the role.
Figure 1. Creating a role 
- Click Next:Review. In the Review section, provide a name for the role and click Create role.
Next steps
You must attach the role to the DDVE instance before it can be configured. This task can be done during or after deployment.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\