Comments (9)
I checked the IAM role and it looks fine:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:DescribeDbSnapshots", "rds:CopyDbSnapshot", "rds:DeleteDbSnapshot", "rds:DeleteDbClusterSnapshot", "rds:DescribeDbClusters", "rds:DescribeDbClusterSnapshots", "rds:CopyDBClusterSnapshot" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:*" ], "Effect": "Allow" }, { "Action": [ "kms:Create*", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:region:account:key/key_id" ], "Effect": "Allow" } ] }
from aws-maintenance.
Hi @crino85
That's interesting... did you modify the template or lambda in any way?
Are you using KMS encryption on the snapshots? Is the key_id in the role the correct key that's used to encrypt the TARGET snapshots (i.e. the copied snapshots in the target region)?
from aws-maintenance.
I'm not using any template. I copied the backup-rds.py file code in the lambda code. I only did the below changes:
SOURCE_REGION = os.environ.get('us-east-1') TARGET_REGION = os.environ.get('us-west-2') KMS_KEY_ID = os.environ.get('arn:aws:kms:us-west-2:<account_id>:key/<target_kms_id')
I also checked the IAM policy attached to the role which executes the lambda and it looks fine:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:DescribeDbSnapshots", "rds:CopyDbSnapshot", "rds:DeleteDbSnapshot", "rds:DeleteDbClusterSnapshot", "rds:DescribeDbClusters", "rds:DescribeDbClusterSnapshots", "rds:CopyDBClusterSnapshot" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:*" ], "Effect": "Allow" }, { "Action": [ "kms:Create*", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:us-west-2:<account_id>:key/<target_region_kms_key" ], "Effect": "Allow" } ] }
The thing is following the CloudFormation tutorial it worked fine but as I want to use Terraform I only wanted to have the Lambda function code. I cannot find where the error is...
Thanks,
Carlos
from aws-maintenance.
Also I don't like this in the step before failing:
Checking if 'swat-rds-prd-None-rds-swat-rds-prd-2020-04-06-02-04' exists in target region
is not taking the region and it puts None?
from aws-maintenance.
@crino85
The issue is in your modification here:
SOURCE_REGION = os.environ.get('us-east-1')
TARGET_REGION = os.environ.get('us-west-2')
KMS_KEY_ID = os.environ.get('arn:aws:kms:us-west-2:<account_id>:key/<target_kms_id')
os.envrion.get()
is a python call to get an environment variable of the provided name. Since you're simply trying to provide a static value, you need just:
SOURCE_REGION = 'us-east-1'
TARGET_REGION = 'us-west-2'
KMS_KEY_ID = 'arn:aws:kms:us-west-2:<account_id>:key/<key_id>'
from aws-maintenance.
YEAH! You made my day! Thanks!
from aws-maintenance.
last question, would this approach also work for different AWS accounts but same region?
from aws-maintenance.
Yes, as long as the account ids and regions in IAM policy and Lambda settings are correct, it will work in any account in any region.
from aws-maintenance.
cool, thanks, I will test it!
from aws-maintenance.
Related Issues (15)
- Retention Policy for the Snapshots HOT 2
- Error In Cross Copy HOT 3
- KMSKeyNotAccessibleFault HOT 5
- Issues with snapshots deleting HOT 1
- Resource import error HOT 2
- Cross Region RDS Backup Copy CFN Not working HOT 3
- RDS-SnapshotQuotaExceeded HOT 1
- RDS-snapshot: Trigger with Event Bridge + cron failed
- Lambda function is triggered but fails HOT 5
- CloudFormation stack fails if created in non-source region HOT 5
- Cross-region RDS backup copy fails with encrypted snapshots HOT 3
- CF creation fails with new instructions HOT 6
- Issue in taking snapshot HOT 2
- Aurora support HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-maintenance.