EC2 Instance Restore: "You are not authorized to perform this operation"

0

Hi There,

We currently backup multiple Linux and Windows EC2 instances to the default vault using the Daily-35day-Retention template
So far all backups have been successful.

Our problem is with restores. When attempting to restore an instance we receive the error "You are not authorized to perform this operation. Please consult the permissions associated with your AWS Backup role(s), and refer to the AWS Backup documentation for more details."
On the restore job we are using the Default role and leaving all IAM roles, security groups, subnets and VPC identical to the original Instance.
I can see from the IAM dashboard that the AWSBackupDefaultServiceRole role has both the AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForRestores permission policies assigned and sporting the same permissions as stated in the documentation.

All the permissions seem to be correct, and we are not using any custom role for this so I am confused on where this is failing.

LiamMc
asked 2 years ago1520 views
6 Answers
1
Accepted Answer

If the instance has a role attached then the role doing the restore also needs rights to IAMPassRole.

Here are the details
https://aws.amazon.com/premiumsupport/knowledge-center/aws-backup-encoded-authorization-failure/

Or just add the following to the role that is doing the restore.

{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Action": "iam:PassRole",  
            "Resource": "arn:aws:iam::111122223333:role/*",  
            "Effect": "Allow"  
        }  
    ]  
}  

I hope this helps someone.

answered 2 years ago
0

I have the same issue, yay. I've an instance profile connected to the instance I'm trying to restore, thought that may be the issue so added a new policy to that role to no avail.

BigAl
answered 2 years ago
0

Sorry to hear you have the same issue.

I'm currently working around it by simply having a new role for restores.
In IAM I created a new role and assigned it the same permissions as the default account and for some reason that works.

IAM -> Create Role -> AWS Backup (use case) -> "AWSBackupServiceRolePolicyForBackup" and "AWSBackupServiceRolePolicyForRestores"
When doing an instance restore I then select this new role at the "Restore role" part

LiamMc
answered 2 years ago
0

Yes (sorry, very late response from me) but I used used a PassRole policy and attached it to the default AWSBackup role and it got around the problem for me. cheers folks.

BigAl
answered 2 years ago
0

Thank you for the inline policy to add, this solved the issue.
My previous workaround using a new Role with just AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForRestores policies did work, but only for my Windows Instances, not the Linux ones.

For anyone new to AWS like I was:

  1. Go to IAM
  2. Select Roles
  3. Select AWSBackupDefaultServiceRole (or a custom role if you made one earlier)
  4. Select Add Inline Policy
  5. On the JSON tab replace the contents with the code in the ScottJones post above excluding the ''' lines
  6. Save and name the policy, it will now be listed in the policies list for the Role
LiamMc
answered 2 years ago
0

if you are using and SCPs that enforce tagging on EC2, you will need to disable that when doing restore. The decrypted message (thanks https://aws.amazon.com/premiumsupport/knowledge-center/aws-backup-encoded-authorization-failure/) showed it was failing on tags that were missing. Perhaps you can do via User Data but I just temp detached the SCP from OU, ran restore than re-attached it...

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions