<h1 id="howtocreateaniamrolewiththepermissionsrequiredformbs">How to create an IAM role with the permissions required for MBS</h1> <hr /> <p>IAM roles are entities in AWS that allow you to access and control services. CloudBerry MBS needs several permissions to be able to communicate with your Amazon S3 account. As you've already guessed, these permissions can be given via the IAM Role.</p> <h2 id="1preparations">1. Preparations</h2> <p>If you’ve just started using Managed Backup Service - create a user and configure your storage account. </p> <h2 id="2addingthes3storageinthembsconsole">2. Adding the S3 storage in the MBS console.</h2> <p>Log in to your MBS console, then under the <strong>Storage account</strong> section click the <strong>Add Account</strong> </p> <p><img src="/content/images/41da9da6-cf48-43c6-b188-87f90b3dc50e.png" alt="" /></p> <p>In the pop-up window select <strong>Amazon S3 Cloud Storage</strong> and proceed with configuring your account.</p> <p><img src="/content/images/7a9545bb-58ea-48e3-b43a-35a83ac97b92.png" alt="" /></p> <p>Having specified the Storage account name in the <strong>Display Name</strong> field click the <strong>“question”</strong> button to open a help window on MBS role policies. </p> <p><img src="/content/images/ace867e6-6f5a-4ec5-9ef1-0658cb0dacbc.png" alt="" /></p> <p>Click the link <strong>minimum required permissions</strong> to see the policy </p> <p><img src="/content/images/efd6234c-2928-4bfe-8fa8-d54005ca1714.png" alt="" /></p> <p>Do not close this window, you will need it soon. We will come back to this later to finish the configuration. Open a new tab in the browser to continue with a user’s policy creation.</p> <h2 id="3creatingandattachingthepolicytoaniamuserintheawsconsole">3. Creating and attaching the policy to an IAM user in the AWS console</h2> <p>Next step is to go to your AWS account and attach the policy to the user you are going to use for the backup. Log in to our AWS account and go to the <strong>IAM (Identity and Access Management) section.</strong></p> <p><img src="/content/images/5f23bfb8-0208-4c6a-9be8-f159117bc15c.png" alt="" /></p> <p>Choose the needed user.</p> <p><img src="/content/images/de69b70d-148d-45cb-906c-87898d75371a.png" alt="" /></p> <p>Click on the user to start editing the settings. The blue button <strong>Add permissions</strong> will open a window where you can create a new policy for that user. </p> <p><img src="/content/images/8b621cf5-bff0-4b04-99c0-d08692a35846.png" alt="" /></p> <p>By selecting <strong>Attach existing policies directly</strong> you get a list of predefined policies. Click the <strong>“Create policy”</strong> button to create a new one which will be attached to this user for the Managed Backup Service.</p> <p><img src="/content/images/90eade23-c513-449a-b7f7-fe07a9ff7eee.png" alt="" /></p> <p>In the Create policy window switch to a <strong>JSON format</strong>. You will see a default policy.</p> <p><img src="/content/images/b05a3b75-2ed6-41c2-9b63-a94b612a07fa.png" alt="" /></p> <p>Now you need to go back to your MBS portal and copy the permissions from <strong>step 2</strong> and replace the default ones in the AWS account. </p> <pre><code>{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PutRolePolicy", "iam:CreateRole", "iam:GetRole", "s3:ListAllMyBuckets" ], "Resource": "*", "Condition": {} } ] } </code></pre> <p><img src="/content/images/61c1ff1a-090d-47de-a898-0ebc7c4f18af.png" alt="" /></p> <p>Now, click the <strong>Preview policy</strong> button.</p> <p><img src="/content/images/090bb536-eb99-4d5c-858e-74e9309dc45d.png" alt="" /></p> <p>Give a name to your Policy and proceed with <strong>Create policy</strong> button. Any comments in the Description field are optional. If everything was done precisely you will see a message that your policy has been created. </p> <p><img src="/content/images/a148a88b-7f06-4114-bead-89eed0b1dbe3.png" alt="" /></p> <p>You can go back to a <strong>Users tab</strong> and attach this policy to your user. Some browsers could open a new tab to create a new policy in AWS account. Check if you have <strong>Users tab</strong> opened and close the one with the policy creation. Having done everything correctly you will have the following tab opened.</p> <p><img src="/content/images/2cd53300-0f98-46a0-80aa-033e54357b4d.png" alt="" /></p> <p>But this time all you need is to refresh the list of the policies and type in the search field your policy’s name.</p> <p><img src="/content/images/761bca03-6c73-40a8-b38c-e1f649109c14.png" alt="" /></p> <p>Switch to the MBS portal where you have an opened pop-up window with Storage account settings and specify a proper <strong>Access Key</strong> and a <strong>Secret Key</strong> of the IAM User with the policy. You might need to click the <strong>“question”</strong> button again to make the help pop-up window disappear.</p> <p><img src="/content/images/8f48ffc4-dac7-4161-bf2c-ced6208f100f.png" alt="" /></p> <p>Once credentials are entered click <strong>Save</strong> button and proceed with selecting a <strong>Destination bucket</strong> for your backups. You can choose an existing bucket or create a new one.</p> <p><img src="/content/images/86245573-17db-433f-93db-7e98d5c2d828.png" alt="" /></p> <p>Having finished with specifying a <strong>Destination bucket</strong> you can add this Destination to all your existing MBS users or to just a few ones upon your choice.</p> <p><img src="/content/images/30420a2c-0884-4993-86ce-480c8c974bbd.png" alt="" /></p> <p>Now you are ready to start your first backup job. </p> <p>Feel free to contact us should you need any assistance.</p> <hr /> <p><center>Contact Us</p> <p><strong>Tech questions</strong>: <a href="mailto:tech@cloudberrylab.com">tech@cloudberrylab.com</a> </p> <p><strong>Sales questions</strong>: <a href="mailto:sales@cloudberrylab.com">sales@cloudberrylab.com</a>   </center></p>