Comments (9)
crino85
commented on June 15, 2024
I checked the IAM role and it looks fine:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:DescribeDbSnapshots", "rds:CopyDbSnapshot", "rds:DeleteDbSnapshot", "rds:DeleteDbClusterSnapshot", "rds:DescribeDbClusters", "rds:DescribeDbClusterSnapshots", "rds:CopyDBClusterSnapshot" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:*" ], "Effect": "Allow" }, { "Action": [ "kms:Create*", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:region:account:key/key_id" ], "Effect": "Allow" } ] }
from aws-maintenance.
pbudzon
commented on June 15, 2024
Hi @crino85
That's interesting... did you modify the template or lambda in any way?
Are you using KMS encryption on the snapshots? Is the key_id in the role the correct key that's used to encrypt the TARGET snapshots (i.e. the copied snapshots in the target region)?
from aws-maintenance.
crino85
commented on June 15, 2024
I'm not using any template. I copied the backup-rds.py file code in the lambda code. I only did the below changes:
SOURCE_REGION = os.environ.get('us-east-1') TARGET_REGION = os.environ.get('us-west-2') KMS_KEY_ID = os.environ.get('arn:aws:kms:us-west-2:<account_id>:key/<target_kms_id')
I also checked the IAM policy attached to the role which executes the lambda and it looks fine:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:DescribeDbSnapshots", "rds:CopyDbSnapshot", "rds:DeleteDbSnapshot", "rds:DeleteDbClusterSnapshot", "rds:DescribeDbClusters", "rds:DescribeDbClusterSnapshots", "rds:CopyDBClusterSnapshot" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:*" ], "Effect": "Allow" }, { "Action": [ "kms:Create*", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:us-west-2:<account_id>:key/<target_region_kms_key" ], "Effect": "Allow" } ] }
The thing is following the CloudFormation tutorial it worked fine but as I want to use Terraform I only wanted to have the Lambda function code. I cannot find where the error is...
Thanks,
Carlos
from aws-maintenance.
crino85
commented on June 15, 2024
Also I don't like this in the step before failing:
Checking if 'swat-rds-prd-None-rds-swat-rds-prd-2020-04-06-02-04' exists in target region
is not taking the region and it puts None?
from aws-maintenance.
pbudzon
commented on June 15, 2024
@crino85
The issue is in your modification here:
SOURCE_REGION = os.environ.get('us-east-1')
TARGET_REGION = os.environ.get('us-west-2')
KMS_KEY_ID = os.environ.get('arn:aws:kms:us-west-2:<account_id>:key/<target_kms_id')
os.envrion.get() is a python call to get an environment variable of the provided name. Since you're simply trying to provide a static value, you need just:
SOURCE_REGION = 'us-east-1'
TARGET_REGION = 'us-west-2'
KMS_KEY_ID = 'arn:aws:kms:us-west-2:<account_id>:key/<key_id>'
from aws-maintenance.
crino85
commented on June 15, 2024
YEAH! You made my day! Thanks!
from aws-maintenance.
crino85
commented on June 15, 2024
last question, would this approach also work for different AWS accounts but same region?
from aws-maintenance.
pbudzon
commented on June 15, 2024
Yes, as long as the account ids and regions in IAM policy and Lambda settings are correct, it will work in any account in any region.
from aws-maintenance.
crino85
commented on June 15, 2024
cool, thanks, I will test it!
from aws-maintenance.
Related Issues (15)
- Retention Policy for the Snapshots HOT 2
- Error In Cross Copy HOT 3
- KMSKeyNotAccessibleFault HOT 5
- Issues with snapshots deleting HOT 1
- Resource import error HOT 2
- Cross Region RDS Backup Copy CFN Not working HOT 3
- RDS-SnapshotQuotaExceeded HOT 1
- RDS-snapshot: Trigger with Event Bridge + cron failed
- Lambda function is triggered but fails HOT 5
- CloudFormation stack fails if created in non-source region HOT 5
- Cross-region RDS backup copy fails with encrypted snapshots HOT 3
- CF creation fails with new instructions HOT 6
- Issue in taking snapshot HOT 2
- Aurora support HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-maintenance.