sql server restore from backup is failing

0

Hi,

I'm trying to restore my small (under 1GB) database:

exec msdb.dbo.rds_restore_database
@restore_db_name='KlionskyDB',
@s3_arn_to_restore_from='arn:aws:s3:::amazon-klionsky-org-db/DB_29907_kliondb2017_backup_2021_05_24.bak'

but getting the same error right away:

[2021-05-25 05:34:22.140] Aborted the task because of a task failure or a concurrent RESTORE_DB request. [2021-05-25 05:34:22.400] Task has been aborted [2021-05-25 05:34:22.407] Error making request with Error Code Forbidden and Http Status Code Forbidden. No further error information was returned by the service.

Please help!
Daniel

asked 3 years ago4405 views
3 Answers
1
Accepted Answer

Thank you for the response :)

So, RDS needs permissions to access your S3 bucket to upload and download database backups. To provide this access to RDS, you can do one of two things. You can provide your own AWS Identity and Access Management (IAM) role—this approach comes in handy when you already have an IAM role that contains a bucket where you want RDS to place backups or retrieve backups from. Or you can let RDS set up an IAM role for you in the background by providing the necessary information.

As per my previous message: "How to restore your backup:
https://aws.amazon.com/blogs/database/migrating-microsoft-sql-server-enterprise-workloads-to-amazon-rds-part-1/
it contains all the detailed steps"
Have a look at the above link Migrating Microsoft SQL Server Enterprise Workloads to Amazon RDS.

The S3 bucket does not have to be public but the IAM role that will be used by the SQLSERVER_BACKUP_RESTORE option group needs to have access to the bucket. See step 5 in the above link.

I hope this helps! Feel free to reach out if you have any questions.

naz97
answered 3 years ago
profile picture
EXPERT
reviewed 3 months ago
profile picture
EXPERT
reviewed 6 months ago
0

Hi DanielAT2021

Thank you for reaching out :)

First, could you please confirm that you are not hitting one of the limitations here - Importing and exporting SQL Server databases - Limitations and recommendations: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.html#SQLServer.Procedural.Importing.Native.Limitations

To troubleshoot the HTTP 403 Forbidden error from the Amazon S3 console, please check the following:

1. Missing permissions to s3:PutObject or s3:PutObjectAcl  

Verify that the AWS Identity and Access Management (IAM) user or role that you're using has permissions for the s3:PutObject action on the bucket. Without this permission, you get an HTTP 403 Forbidden error.

2. Missing permissions to use an AWS Key Management Service (AWS KMS) key  

If you are using AWS KMS, you must have the permissions to use the key. Please see below link to grant permission:
https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html#key-policy-modifying-how-to

3. Explicit deny statement in the bucket policy   

Review the bucket policy for any statements that explicitly deny ("Effect": "Deny") permission for s3:PutObject unless certain conditions are met. Verify that your action meets the bucket policy requirements for access to the s3:PutObject action.

4. Bucket access control list (ACL) doesn't allow the AWS account root user to write objects  

You can check your Bucket ACLs by using the guide in the following link:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html

5. AWS Organizations service control policy doesn't allow access to Amazon S3  

If you're using AWS Organizations, then check the following link on service control policies:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#orgs_manage_policies_scp

Additionally, I have provided more resources:
For more troubleshooting options:
https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/

How to restore your backup
https://aws.amazon.com/blogs/database/migrating-microsoft-sql-server-enterprise-workloads-to-amazon-rds-part-1/ it contains all the detailed steps

I hope this helps!

naz97
answered 3 years ago
0

thank you for your suggestions, naz97.

I had to have to make s3 access public in order to make it work.
Is that correct solution?

Edited by: DanielAT2021 on May 25, 2021 8:57 AM

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions