Solved

Permissions for DynamoDB backups in Additional Accounts

  • 30 November 2021
  • 9 replies
  • 69 views

Userlevel 1
Badge +8

Good morning!

We are trying to set up DynamoDB backups for additional accounts within an organization.  We have the EC2 instances backing up using STS Assume Roles.  Do we need to add the DynamoDB permissions to that assume role?  Do we need permissions added to the top level VSA as well?  Is the best practice to provide access a different way?  Can we even use the assume role?

Thanks!

icon

Best answer by Mike Struening 24 January 2022, 21:39

View original

9 replies

Userlevel 7
Badge +23

@Melissa Adams , thanks for the question!

Have you looked at the json files here?

https://documentation.commvault.com/11.24/expert/30960_amazon_web_services_user_permissions_for_backups_and_restores.html

Not sure if this is directly applicable for what you need (and if not, let me know and I’ll track it down for you).

 

Userlevel 1
Badge +8

@Mike Struening  yes we’ve used that.  I just need to know how/where to apply when backing up databases in additional accounts when our CV infrastructure is in the parent account.  With EC2 we are using Assume Roles.  Do we use this same process for databases?

Userlevel 2
Badge +5

@Melissa Adams , 

DO you have the DynamoDB and EC2 proxy(access node) in different accounts?

 

With DynamoDB and EC2 proxy in different accounts: During DynamoDB instance creation, the role ARN need to be provided in the instance details for authentication. This is the ARN of role present in same account as DynamoDB. DynamoDB permissions need to be associated to the policy attached to this role. The policy attached to role associated with EC2 proxy does not need to have DynamoDB permissions. 

 

Regards,

Meera

Userlevel 1
Badge +8

@Meera  you are correct.  The Proxy is in a different account.  This is the answer I needed!

Thank you!

Userlevel 1
Badge +8

@Meera we are having a heck of time getting this to work.  Can you verify that it is supported?  I cannot find anything in documentation for DynamoDB that supports this.

Thanks

Melissa

Userlevel 7
Badge +23

@Meera , @Melissa Adams  I unmarked this as answered until Meera can respond and you confirm everything works :thinking:

Userlevel 2
Badge +5

Hi Melissa,

What is the feature release version on client and commserve? Could you also share details of error - is it during dynamo instance creation or backup? If it is during instance creation, what is the error in cvd.log of access node?

 

Regards,

Meera

Userlevel 1
Badge +8

@Meera  So we switched from using the assume role method and created a user with the correct DynamoDB policy attached.  This seems to work.  In reviewing books online, it doesn’t actually say we can use the assume role for anything other than EC2.  The road block we are now having has to do with encryption and the user being able to decrypt the kms key.  We do have a ticket open - 211202-623.  They are on the latest HF for 11.24.  We added some KMS permissions but no luck.  I’m hoping suppor/dev can help us.

Userlevel 7
Badge +23

Sharing the solution:

Looks like some permission not granted.
AWSKMSException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: <ID>; Proxy: null)"}] resp-size:[417]

Customer will add KMS permissions to the backup user.

Reply