Skip to main content

Create an AWS Access Role

This article guides you through securely connecting your AWS account with Druva using an AWS access role. By deploying a pre-configured CloudFormation stack, you can instantly provision an Identity and Access Management (IAM) role that grants AWS Workloads (CloudRanger) the required access to securely connect, monitor, and manage your AWS accounts.

IAM role

To create an IAM role, AWS Workloads (CloudRanger) provides a CloudFormation template that is used to create a stack. The CloudFormation stack generates the following IAM permissions for Druva CloudRanger to access your AWS Account:

Druva provides a CloudFormation template to automate your IAM role setup. Once the stack is deployed, it provisions the following IAM permissions to grant access to your AWS account:

  • IAM Role

  • IAM Instance Profile

  • IAM Policy

The generated Amazon Resource Name (ARN) of the IAM role is then linked back to CloudRanger so that it can run backup and restore jobs on your AWS workloads.

📝 Note
​AWS Workloads (CloudRanger) follows all security protocols and best practices recommended by AWS. All access permissions to your AWS resources and regions are controlled by AWS Identity and Access Management.

Before you begin

Ensure that you are logged into the AWS account for which you wish to configure the Access Role.

❗ Important

The CloudFormation template creates various resources in your AWS account and must be executed by a user with the following permissions:

  • ​IAM create role/policy

  • s3 create bucket

  • IAM create instance profile

  • SNS publish

Create AWS access role

The following steps describe how to create an IAM access role to grant CloudRanger access to your AWS account.

  1. Log in to your management console.

  2. Click Add New Account.

    1_Add3.png

  3. Copy or download the CloudFormation template to manually create the stack and provision the access role for your AWS environment.

  4. Click Launch AWS Console to be automatically directed to the CloudFormation section of your AWS account.
    The details are pre-populated in the required sections.

📝 Note

If you are not redirected to the appropriate page, you can create a new stack from your AWS management console.

  • Navigate to the AWS CloudFormation console.

  • On the Stacks page, choose Create stack at top right, and then click With new resources (standard).

5. Select the I acknowledge that AWS CloudFormation might create IAM resources with custom names check box, and then click Create Stack to generate the CloudFormation stack.

6. Refresh the stack until the Status reads CREATE_COMPLETE.

Stack2.png


AWS Workloads (CloudRanger) then initiates a Sync with AWS to synchronize Druva management console with your AWS environment. Once the synchronization is complete, all resources are highlighted with a green checkmark. This validates that your resources on AWS Workloads (CloudRanger) are now synchronized with your AWS account.

📝 Note

To whitelist an IAM role when adding a new CloudFormation stack template, you will need to specify a CloudRanger AccountID parameter (as an 8-digit alphanumeric value). If not specified, we will create this parameter for you and attach it to the IAM roles.

  • Naming convention for all new and updated roles::
    ( arn:aws:iam::{aws_account_id}:role/cloudranger-orchestration-{account_id} and
    ( arn:aws:iam::{aws_account_id}:role/cloudranger-ec2-data-{account_id} ).

  • No special characters are allowed for the CRAccountIdParameter.

  • All existing roles will be updated to follow this naming convention.

  • The CRAccountIdparameter specified here cannot be modified when updating the CF stack.

  • IAM roles cannot be whitelisted with stacksets since the CRAccountIdParameter needs to be unique.

Add new AWS accounts

You can add multiple AWS Accounts and manage them all from your integrated CloudRanger console.

  1. Log into your Druva CloudRanger console and navigate to the Organization in which you wish to add a new account(s).​

  2. Click Add New Account on the top right.

  3. Follow the same process as when creating your initial AWS Access Role.

📝 Note
You will need to generate a new CloudFormation stack for each AWS Account that you wish to manage on Druva CloudRanger.

Once the AWS account access is setup, the Last Access Status displays the appropriate status:

  • Latest: Indicates that the AWS access role is up to date.

  • Update: Indicates that the AWS access role needs to be updated. Click the link to update the CloudFormation template on your AWS console. For more information, see Update Existing AWS Access Roles.

📝 Note
To verify the access status with your AWS environment, select an Account and then click Verify AWS account access.

📌 Additional Resources

Configure Multiple AWS Accounts with StackSets

Import Stacks to StackSets

Related Articles
Create a CloudRanger Account
About Connecting to AWS
Update Existing AWS Access Roles for AWS Workloads
Unable to generate reports on CloudRanger
VPC Cloning fails
Did this answer your question?