Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Default AWSBackupDefaultServiceRole role cannot create on-demand backups from Lambda.

0

I want to centrally trigger backups from a Lambda function in my central account.

For my Lambda, I have an execution role (CrossAccountBackupsLambdaExecutionRole) that can with permissions to assume AWSBackupDefaultServiceRole within the same account and target accounts. As well as the trust policy for Lambda to assume it.

For the AWSBackupDefaultServiceRole I just added the trust policy for my Lambda execution role CrossAccountBackupsLambdaExecutionRole to assume it. The trust policy for Backup service to assume it was already there.

When I trigger the Lambda, I get an error that says:

"Attempting to start backup for instance #### in account #### Error starting backup for instance #### in account ####: An error occurred (AccessDeniedException) when calling the StartBackupJob operation: Insufficient privileges to perform this action."

I already tested in the CLI by assuming my Lambda execution role CrossAccountBackupsLambdaExecutionRole and from there, assuming the AWSBackupDefaultServiceRole . It works so I think the roles are interacting with each other correctly. I can also trigger on-demand backups from the management console with the** AWSBackupDefaultServiceRole** role without issues, so there are no permissions missing for that action.

It is important to mention that this error is the same if I try to trigger the backups for instances in the same account and in other accounts.

Is there anything I am missing? I would highly appreciate your help.

Topics
ServerlessComputeStorageSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS BackupAWS Lambda
Language
English
asked a year ago500 views
1 Answer
0

Based on the information provided, it seems that you've set up the IAM roles and trust relationships correctly, but there might be a few things to consider:

  1. Lambda Function Permissions: Ensure that your Lambda function has the necessary permissions to interact with AWS Backup. The Lambda execution role (CrossAccountBackupsLambdaExecutionRole) should have permissions to call AWS Backup APIs, particularly the StartBackupJob operation.

  2. AWSBackupOperatorAccess: Consider attaching the AWSBackupOperatorAccess managed policy to your Lambda execution role. This policy specifically grants permissions to create on-demand backups, which aligns with your use case.

  3. Resource-based Policies: Check if there are any resource-based policies on the resources you're trying to back up that might be restricting access.

  4. Cross-Account Permissions: For cross-account backups, ensure that the target accounts have the necessary permissions set up to allow the central account to initiate backups.

  5. VPC Configuration: If your Lambda function is running in a VPC, make sure it has the necessary network access to reach AWS Backup endpoints.

  6. IAM Policy Evaluation: Remember that when you assume a role, you don't accumulate permissions from multiple roles. The effective permissions are those granted by the assumed role (AWSBackupDefaultServiceRole in this case).

  7. CloudTrail Logs: Review CloudTrail logs for the StartBackupJob API call to see if there are any specific permission issues being reported.

Given that you can perform the operation successfully via CLI and the management console, the issue likely lies in how the Lambda function is assuming and using the roles. Double-check the IAM policy attached to your Lambda execution role and ensure it has the necessary permissions to interact with AWS Backup directly, in addition to the ability to assume the AWSBackupDefaultServiceRole.

If the issue persists, you might want to temporarily grant broader permissions to your Lambda execution role for troubleshooting purposes, and then narrow them down once you identify the specific permissions needed.
Sources
AWSBackupOperatorAccess - AWS Managed Policy
Resolve your AWS incidents faster by automatically engaging AWS Managed Services | AWS Cloud Operations Blog

answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content