AutoBackup
Logout
IntroductionDashboard overviewBasic flow
Configuration
Account onboardingAdd new protected account (AWS)Add new protected account (AWS China)Add new protected account (Azure)Add new vault account (AWS)Add new vault account (AWS China)Add new protected/vault account (GCP)Add new protected account (IBM Cloud)SetupPolicyNotification groupsTags
Usage
Operations on resourcesAzure Native VMsSnapshotRestoreAPIDisaster Recovery
Technical documentation
Backup processEncryptionAccounts scanningHooks
Firewall settingsManaging API keysManaging users

Protected accounts

Protected accounts are accounts that are under backup protection.

Add new protected account (AWS)

  1. Choose "Accounts" from the navigation bar. Accounts view
  2. Click on "Protect new account" button.
  3. Choose AWS from account cloud provider list. Accounts view
  4. Type your Account Name and AWS Account number and click on "Create policy document" button. Accounts view
  5. Click on "Download Role Definition" button. The CloudFormation template you've downloaded needs to be deployed on your AWS account to complete onboarding. Now you can click the "Finish Account Onboarding" button. Accounts view
  6. Congratulations, your account has been added. Accounts view

Add new protected account (AWS China)

The process of adding new protected account located in China is extended by an additional step of providing access keys to the IAM user. This user will be used to assume the role, defined by the downloaded CloudFormation template. Therefore, the minimal permissions associated with him should allow assuming the role.

  1. Choose "Accounts" from the navigation bar. Accounts view
  2. Click on "Protect new account" button.
  3. Choose AWS China from account cloud provider list. Accounts view
  4. Type your Account Name and AWS Account number and click on "Generate policy document" button to go to the next step. Accounts view
  5. Type your Access Key Id and Secret Access Key and click on "Generate policy document" button. Accounts view
  6. Now you should see download role definition option. Click on "Download Role Definition" button. The CloudFormation template you've downloaded needs to be deployed on your AWS account to complete onboarding. Now you can click the "Finish Account Onboarding" button. Accounts view
  7. Congratulations, your account has been added. Accounts view

Add new protected account (Azure)

  1. Choose "Accounts" from the navigation bar. Accounts view
  2. Click on "Protect new account" button.
  3. Choose Azure from account cloud provider list. Accounts view
  4. Type your Account Name and Subscription Id number and click on "Next - Provide credentials" button. Accounts view
  5. Type your Client Id, Client secret, and Tenant Id and click the "Finish Account Onboarding" button. Client Id, Client secret and Tenant Id can be obtained, by creating a service principal with the Contributor role: Create an Azure service principalAccounts view
  6. Congratulations, your account has been added. Accounts view

Vault accounts

Vault account is used only for storing backup replicas. Resources contained within your vault accounts won’t be backed up.

Add new vault account (AWS)

  1. Choose "Accounts" from the navigation bar. Accounts view
  2. Click on "Add Vault Account" button.
  3. Choose AWS from account cloud provider list. Accounts view
  4. Type your Account Name and AWS Account number and click on "Create policy document" button. Accounts view
  5. Click on "Download Role Definition" button. The CloudFormation template you've downloaded needs to be deployed on your AWS account to complete onboarding. Now you can click the "Finish Account Onboarding" button. Accounts view
  6. Congratulations, your account has been added. Accounts view

Add new vault account (AWS China)

The process of adding new vault account located in China is extended by an additional step of providing access keys to the IAM user. This user will be used to assume the role, defined by the downloaded CloudFormation template. Therefore, the minimal permissions associated with him should allow assuming the role.

  1. Choose "Accounts" from the navigation bar. Accounts view
  2. Click on "Add Vault Account" button.
  3. Choose AWS China from account cloud provider list. Accounts view
  4. Type your Account Name and AWS Account number and click on "Generate policy document" button to go to the next step. Accounts view
  5. Type your Access Key Id and Secret Access Key and click on "Generate policy document" button. Accounts view
  6. Now you should see download role definition option. Click on "Download Role Definition" button. The CloudFormation template you've downloaded needs to be deployed on your AWS account to complete onboarding. Now you can click the "Finish Account Onboarding" button. Accounts view
  7. Congratulations, your account has been added. Accounts view

Add new protected/vault account (GCP)

GCP Onboarding requirements:

  • A storage bucket in protected accounts (regional with standard storage class in Europe) with the label nordcloud-purpose: scanner.
  • A Service Account

This service account will need to be granted the following roles on the following scopes:

  • Resource: The service account itself (with enabled IAM Service Account Credentials API)
    • roles/iam.serviceAccountTokenCreator (Service Account Token Creator)
  • Project: On Vault projects (with enabled Compute Engine API)
    • roles/compute.storageAdmin (Storage Admin)
  • Project: On Protected projects (with enabled Compute Engine API)
    • roles/compute.storageAdmin (Storage Admin)
    • roles/serviceusage.serviceUsageAdmin (Service Usage Admin)
    • roles/cloudasset.viewer (Cloud Asset Viewer)
    • roles/viewer (Viewer)
  • Bucket:
    • roles/storage.objectCreator (Storage Object Creator)

Alternatively, two custom roles (instead of roles/compute.storageAdmin) can be created for Vault and Protected project bindings.

Vault Role

  • compute.disks.createSnapshot
  • compute.globalOperations.get
  • compute.images.create
  • compute.images.delete
  • compute.images.getIamPolicy
  • compute.images.setIamPolicy
  • compute.instances.get
  • compute.instances.list
  • compute.regionOperations.get
  • compute.snapshots.create
  • compute.snapshots.delete
  • compute.snapshots.get
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly
  • compute.zoneOperations.get

Protected Role

  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.snapshots.create
  • compute.snapshots.delete
  • compute.snapshots.get
  • compute.snapshots.setLabels
  • compute.zoneOperations.get

Consider the following regarding the principle of the least privilege.

  1. Updating the role. If the role is created on the organization level, the role only needs to be updated there, however you will also have permission to update roles other custom roles on the org node. If you create the role on projected level, You need to also be able to update all them when new features are launched.
  2. Using the predefined roles gives more permissions, but those permissions are still limited to project scope and related to the purpose of AB.
  1. Choose "Accounts" from the navigation bar. Accounts view
  2. Click "Protect New Account" or "Add Vault Account", depending on which type of account you want to onboard.
  3. Choose GCP from account cloud provider list. Accounts viewAccounts view
  4. Type your Account Name and Project Id. Proceed to next step by clicking Next - Provide credentials. Accounts view
  5. Upload credentials file clicking Choose file. Or if you have already uploaded a keypair, select your service account from the dropdown list. Now you can click the "Finish Account Onboarding" button. Accounts view
  6. Congratulations, your account has been added. Accounts view

Add new protected account (IBM Cloud)

For onboarding account to AutoBackup you must provide the API key.

Required permissions for scanning and backup process:

  • is.instance.instance.read
  • is.instance.instance.operate
  • is.volume.volume.read
  • is.volume.volume.operate
  • is.snapshot.snapshot.read
  • is.snapshot.snapshot.create
  • is.snapshot.snapshot.delete
  • global-search-tagging.tag.attach-user-tag
  • global-search-tagging.resource.read
  • resource-controller.instance.create
  1. Choose "Accounts" from the navigation bar. Accounts view
  2. Click "Protect New Account".
  3. Choose IBM CLOUD from account cloud provider list. Accounts view
  4. Type your Account Name and IBM Cloud Account Id. Proceed to next step by clicking Next - Provide credentials. Accounts view
  5. Type your API key and click the "Finish Account Onboarding" button. Accounts view
  6. Congratulations, your account has been added. Accounts view