- Newest
- Most votes
- Most comments
If the instance has a role attached then the role doing the restore also needs rights to IAMPassRole.
Here are the details
https://aws.amazon.com/premiumsupport/knowledge-center/aws-backup-encoded-authorization-failure/
Or just add the following to the role that is doing the restore.
{
"Version": "2012-10-17",
"Statement": \[
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/*",
"Effect": "Allow"
}
]
}
I hope this helps someone.
I have the same issue, yay. I've an instance profile connected to the instance I'm trying to restore, thought that may be the issue so added a new policy to that role to no avail.
Sorry to hear you have the same issue.
I'm currently working around it by simply having a new role for restores.
In IAM I created a new role and assigned it the same permissions as the default account and for some reason that works.
IAM -> Create Role -> AWS Backup (use case) -> "AWSBackupServiceRolePolicyForBackup" and "AWSBackupServiceRolePolicyForRestores"
When doing an instance restore I then select this new role at the "Restore role" part
Yes (sorry, very late response from me) but I used used a PassRole policy and attached it to the default AWSBackup role and it got around the problem for me. cheers folks.
Thank you for the inline policy to add, this solved the issue.
My previous workaround using a new Role with just AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForRestores policies did work, but only for my Windows Instances, not the Linux ones.
For anyone new to AWS like I was:
- Go to IAM
- Select Roles
- Select AWSBackupDefaultServiceRole (or a custom role if you made one earlier)
- Select Add Inline Policy
- On the JSON tab replace the contents with the code in the ScottJones post above excluding the ''' lines
- Save and name the policy, it will now be listed in the policies list for the Role
if you are using and SCPs that enforce tagging on EC2, you will need to disable that when doing restore. The decrypted message (thanks https://aws.amazon.com/premiumsupport/knowledge-center/aws-backup-encoded-authorization-failure/) showed it was failing on tags that were missing. Perhaps you can do via User Data but I just temp detached the SCP from OU, ran restore than re-attached it...
Relevant content
- asked 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
There seems to be a typo with extra \ at the start of the statement.
This resolves my issue. You just remove the extra character "" before the opening bracket.