EC2 Instance Restore: "You are not authorized to perform this operation"

3

Hi There,

We currently backup multiple Linux and Windows EC2 instances to the default vault using the Daily-35day-Retention template
So far all backups have been successful.

Our problem is with restores. When attempting to restore an instance we receive the error "You are not authorized to perform this operation. Please consult the permissions associated with your AWS Backup role(s), and refer to the AWS Backup documentation for more details."
On the restore job we are using the Default role and leaving all IAM roles, security groups, subnets and VPC identical to the original Instance.
I can see from the IAM dashboard that the AWSBackupDefaultServiceRole role has both the AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForRestores permission policies assigned and sporting the same permissions as stated in the documentation.

All the permissions seem to be correct, and we are not using any custom role for this so I am confused on where this is failing.

LiamMc
demandé il y a 3 ans7001 vues
6 réponses
3
Réponse acceptée

If the instance has a role attached then the role doing the restore also needs rights to IAMPassRole.

Here are the details
https://aws.amazon.com/premiumsupport/knowledge-center/aws-backup-encoded-authorization-failure/

Or just add the following to the role that is doing the restore.

{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Action": "iam:PassRole",  
            "Resource": "arn:aws:iam::111122223333:role/*",  
            "Effect": "Allow"  
        }  
    ]  
}  

I hope this helps someone.

répondu il y a 3 ans
  • There seems to be a typo with extra \ at the start of the statement.

  • This resolves my issue. You just remove the extra character "" before the opening bracket.

0

I have the same issue, yay. I've an instance profile connected to the instance I'm trying to restore, thought that may be the issue so added a new policy to that role to no avail.

BigAl
répondu il y a 3 ans
0

Sorry to hear you have the same issue.

I'm currently working around it by simply having a new role for restores.
In IAM I created a new role and assigned it the same permissions as the default account and for some reason that works.

IAM -> Create Role -> AWS Backup (use case) -> "AWSBackupServiceRolePolicyForBackup" and "AWSBackupServiceRolePolicyForRestores"
When doing an instance restore I then select this new role at the "Restore role" part

LiamMc
répondu il y a 3 ans
0

Yes (sorry, very late response from me) but I used used a PassRole policy and attached it to the default AWSBackup role and it got around the problem for me. cheers folks.

BigAl
répondu il y a 3 ans
0

Thank you for the inline policy to add, this solved the issue.
My previous workaround using a new Role with just AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForRestores policies did work, but only for my Windows Instances, not the Linux ones.

For anyone new to AWS like I was:

  1. Go to IAM
  2. Select Roles
  3. Select AWSBackupDefaultServiceRole (or a custom role if you made one earlier)
  4. Select Add Inline Policy
  5. On the JSON tab replace the contents with the code in the ScottJones post above excluding the ''' lines
  6. Save and name the policy, it will now be listed in the policies list for the Role
LiamMc
répondu il y a 3 ans
0

if you are using and SCPs that enforce tagging on EC2, you will need to disable that when doing restore. The decrypted message (thanks https://aws.amazon.com/premiumsupport/knowledge-center/aws-backup-encoded-authorization-failure/) showed it was failing on tags that were missing. Perhaps you can do via User Data but I just temp detached the SCP from OU, ran restore than re-attached it...

répondu il y a 3 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions