Using AWS IAM Roles with Veeam Kasten

AWS IAM Roles allow delegating access to AWS resources to a trusted entity (e.g., an AWS user or a Kubernetes Service Account). Veeam Kasten can be configured to access AWS infrastructure using an IAM Role.

To use a role with Veeam Kasten, an IAM Policy that describes the permissions the role will grant needs to be created first. Second, a role with this policy attached needs to be created. Finally, the trusted entities (IAM User or Kubernetes Service Account) that can assume that role need to be configured.

Creating an IAM Policy

An IAM Policy specifies permissions the role will grant. The set of permissions needed by Veeam Kasten for integrating against different AWS services are described here.

The example below is a policy definition that grants permissions required to snapshot and restore EBS volumes and migrate them across Kubernetes clusters.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CopySnapshot",
                "ec2:CreateSnapshot",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DeleteTags",
                "ec2:DeleteVolume",
                "ec2:DescribeSnapshotAttribute",
                "ec2:ModifySnapshotAttribute",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeRegions",
                "ec2:DescribeSnapshots",
                "ec2:DescribeTags",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DeleteSnapshot",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/name": "kasten__snapshot*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DeleteSnapshot",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Name": "Kasten: Snapshot*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutBucketPolicy",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:DeleteBucketPolicy",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy"
            ],
            "Resource": "*"
        }
    ]
}

Note

To enable AWS KMS encryption additional policies are required. Refer to Configuring Veeam Kasten encryption for more information.

Veeam Kasten Installs with IAM Roles

Option I: Using IAM Role With a Kubernetes Service Account (EKS)

Enabling OIDC on your EKS Cluster

Supporting IAM Roles with Kubernetes Service Accounts (SAs) requires the IAM Roles for Service Accounts feature that is available for AWS EKS clusters. Refer to Enabling IAM Roles for Service Accounts on your Cluster for complete instructions to enable this feature. If you have eksctl available, you can run:

$ eksctl utils associate-iam-oidc-provider --cluster ${EKS_CLUSTER_NAME} --approve

Creating an IAM Role for Veeam Kasten Install

To create an IAM Role that delegates permissions to a Kubernetes Service Account, see the AWS documentation on Creating an IAM Role and Policy for your Service Account. Use kasten-io (or the namespace you installed Veeam Kasten in) for the SERVICE_ACCOUNT_NAMESPACE and k10-k10 for the SERVICE_ACCOUNT_NAME in the instructions.

Veeam Kasten can now be installed using the helm command below. No credentials are required. EKS will inject the credentials into Veeam Kasten's pods.

$ helm install k10 kasten/k10 -n kasten-io --create-namespace
    --set serviceAccount.create=false --set serviceAccount.name=my-service-account

Note

my-service-account refers to the Kubernetes Service Account created in the previous steps, as per the AWS documentation on Creating an IAM Role and Policy for your Service Account.

Option II: Using an IAM Role With an IAM User

To create an IAM Role that delegates permissions to an IAM User, see the AWS documentation on Creating a Role to Delegate Permissions to an IAM User.

Note

Once the IAM Role is created, the IAM User must also be granted permissions to assume the role programmatically. For more information about this step, see Granting a User Permissions to Switch Roles.

Once the AWS IAM Role is created, configure Veeam Kasten with the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for the IAM User along with the AWS ARN of the role.

$ helm install k10 kasten/k10 --namespace=kasten-io \
    --set secrets.awsAccessKeyId="${AWS_ACCESS_KEY_ID}" \
    --set secrets.awsSecretAccessKey="${AWS_SECRET_ACCESS_KEY}" \
    --set secrets.awsIamRole="${AWS_IAM_ROLE_ARN}"