Required minimal AWS permissions/roles for CPM operation
You can apply all the required roles by using the JSON files inside the archive attached to this article (including the new permissions required for v4.0 and up).
Note that for some editions there is more then 1 json file.
If you are using FLR or Copy to S3 in the same account as N2WS server, then due to AWS changes you will add self-trust to the role,
please see this KB for more info: FLR or Copy to S3 with Exception: could not assume role
How to Add permissions:
1. Go to the IAM Console https://console.aws.amazon.com/iam/home
2. Go to 'Policies'.
3. Click on 'Create policy'
4. Click on JSON, Then delete the content and replace with the json from the minimal permission zip.
It is Important to use notepad to open the JSON file, so when you copy and paste its contents you do not add any formatting characters.
Failure to do this can cause syntax errors when saving the policy and other issues.
5. Then click Next, Select policy name and click Create policy
6. You will need to create a policy for each needed extra json file for your edition.
7. Once all policies are created, go to 'Roles' and click on the role used by the N2WS server
8. Open 'Permissions' tab and click 'Attach policies'
9. Search for the policies you've created and add them by checking the box next to them, then click Add Permissions.
For assuming a role type accounts:
You will also need to add trust relation to the target role, to allow the source role to assume it.
Please check this document for the procedure on establishing trust: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html#cli-role-prepare
KMS:
Different set of KMS related permissions is required for admin and non-admin users.
If you are an admin user, ListAliases & ListKeys are enough
Other users need these minimum KMS permissions:
- For backup and DR:
"kms:CreateGrant",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlaintext",
- For backup and DR:
"kms:CreateGrant",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:ListAliases",
"kms:ListKeys"
- For recovery:
"kms:DescribeKey",
"kms:ListAliases",
"kms:ListKeys",
"kms:ReEncryptFrom",
"kms:ReEncryptTo"
"kms:ListAliases",
"kms:ListKeys"
- For recovery:
"kms:DescribeKey",
"kms:ListAliases",
"kms:ListKeys",
"kms:ReEncryptFrom",
"kms:ReEncryptTo"
Click below to see Azure minimal permissions KB Article
Related Articles
Minimal Azure permissions/roles for N2WS operations
The required minimal IAM permissions json is attached to this KB article. You can find detailed steps in our User guide, Chapter 26: https://n2ws.com/support/documentation Or in the following KB Article: How to setup CPM on AWS to backup Azure ...How to update the AWS Role Permissions
Background This document details the steps needed to update the N2WS IAM Role Permissions. This is often needed when upgrading to a newer version as added functionality requires additional AWS Permissions. Steps for updating a policy 1. Please visit ...How to use AWS IAM Policy Simulator to troubleshoot N2WS Backup permission issues.
Background: Permission issues are one of the most common errors seen by users of N2WS Backup and this article explains how you can use the IAM Policy Simulator to help you narrow down whether permissions are allowed by an IAM User or a Role. This ...How to Check for AWS Permissions
Checking for AWS account permissions Each account in N2WS is mapped to a specific Roles or IAM user in AWS. You can see the list of account and authentication types in the Account Tab: For each account, you can select it and then click on 'Check AWS ...Permission check may fail with an error "Could not assume role"
Issue: Permission check may fail with this error message: ERROR: get_assume_role_credentials(aws_utils.py:1337) Could not assume role arn arn:<AWS account ARN:RoleName> from account <CPM Account> (<CPM user>), reason User arn:<AWS account ARN:IAM ...