Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

"Lambda-Function-RDS-Snapshot-Management" was working now python errors after minor change

0

Hi re:Post!

Thank you for your time and help!

My lambda function, "Lambda-Function-RDS-Snapshot-Management", was working as expected. But then I made (2) small changes to python script and now it errors.

I switched the "SOURCE_REGION" from us-west-1 to us-west-2 (code snippet below):

# SOURCE_REGION = "us-west-2"  # Oregon (system)
SOURCE_REGION = "us-west-1"  # N. California (system)

And I switched out some db_names:

Was:

db_names = [ "db-drtest20250410", "db-drtest20240314" ]

Is:

db_names = [ "db-urovant", "db-atlas" ]

It should have worked. Lambda is using the same KMS key (rds-cross-region-replication) when it worked but now errors with:

Copying snapshot rds:db-urovant-2025-08-29-05-13-us-east-2 to copy-rds-db-urovant-2025-08-29
Error copying snapshot rds:db-urovant-2025-08-29-05-13-us-east-2: An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The source snapshot KMS key does not exist, is not enabled or you do not have permissions to access it
Copying snapshot rds:db-atlas-2025-08-29-05-10-us-east-2 to copy-rds-db-atlas-2025-08-29
Error copying snapshot rds:db-atlas-2025-08-29-05-10-us-east-2: An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The source snapshot KMS key does not exist, is not enabled or you do not have permissions to access it

Please advise!

Thanks!

Best Regards,

Donald

Topics
ServerlessCompute
Tags
AWS Lambda
Language
English
asked 8 months ago232 views
3 Answers
1
Accepted Answer

Hello.

As described in the following document, you need to check "Check the source KMS key policy".
Judging from the error message, I think this is because Lambda does not have access to the KMS key used to encrypt the snapshot in the "us-west-1" region.
Therefore, please check which KMS key "db-urovant" and "db-atlas" are encrypted with, and set the KMS key policy to allow access from the Lambda IAM role.
https://repost.aws/knowledge-center/backup-troubleshoot-cross-account-copy#:~:text=Check%20the%20source%20KMS%20key%20policy

EXPERT
answered 8 months ago
EXPERT
reviewed 8 months ago
  • DC
    8 months ago

    Sorry all! I was in hospital for a week and have covid, so I'm just getting back this today. I'll start a new question regarding how to ensure that my Lambda execution role/policy is configured with the correct json coding to allow cross reqion copying. Thank you both for your time and help! Best Regards, Donald

1

As per Riku,

Youve changed your source region to us-west-1 but your KMS Key defined your IAM Policy does not state any KMS Keys in us-west-1 This would need adjusting unless your KMS Key Policy allows your lambda function to Decrypt. You cant use the KMS key in a different region for RDS Shapshots.

Without seeing your full code, its going to be Policy or your poiting to a key which doesnt exist

EXPERT
answered 8 months ago
0

The error you're experiencing is related to KMS key permissions when copying RDS snapshots across regions. When you changed the source region from us-west-1 to us-west-2, you're now trying to access snapshots that are encrypted with a different KMS key than before.

The error message "KMSKeyNotAccessibleFault" indicates that your Lambda function doesn't have permission to use the KMS key that encrypted the snapshots in the new source region (us-west-2). This happens because:

  1. Each AWS region has its own KMS keys
  2. When copying encrypted snapshots across regions, you need proper permissions to both:
  • The source KMS key (in us-west-2) that encrypted the original snapshots
  • The destination KMS key (in your target region) that will encrypt the copied snapshots

To fix this issue:

  1. Verify that your Lambda execution role (RL-Lambda-RDS-Snapshot-Management) has permissions to use the KMS key in the us-west-2 region. You need to add the appropriate KMS permissions to your role's policy.

  2. In your Python code, you may need to explicitly specify the KMS key ID for the destination region when calling the copy_db_snapshot function:

dest_rds.copy_db_snapshot(
SourceDBSnapshotIdentifier=source_arn,
TargetDBSnapshotIdentifier=target_snapshot_id,
KmsKeyId="arn:aws:kms:destination-region:account-id:key/key-id",
SourceRegion=SOURCE_REGION
)
  1. Ensure that the KMS key policy in us-west-2 allows your Lambda role to use the key for decryption.

The database name changes shouldn't cause this issue - it's specifically related to the region change and the associated KMS keys used for encryption in that region.
Sources
Python code deleted wrong snapshots and tried to copy wrong snapshots | AWS re:Post
Copying a DB snapshot for Amazon RDS - Amazon Relational Database Service

answered 8 months ago
EXPERT
reviewed 8 months ago
  • DC
    8 months ago

    But I use that same key not only in previous test that worked but also when manually copying snapshots from source us-west-1 to target us-west-2.

  • DC
    8 months ago

    Regarding, "In your Python code, you may need to explicitly specify the KMS key ID for the destination region when calling the copy_db_snapshot function"

    That was already in the python code:

    Copy the snapshot

                dest_rds.copy_db_snapshot(
                SourceDBSnapshotIdentifier=source_arn,
                TargetDBSnapshotIdentifier=target_snapshot_id,
                KmsKeyId="arn:aws:kms:us-west-2:<hidden>:key/<hidden>",
                SourceRegion=SOURCE_REGION
  • DC
    8 months ago

    This was already done as well:

    To fix this issue:

    Verify that your Lambda execution role (RL-Lambda-RDS-Snapshot-Management) has permissions to use the KMS key in the us-west-2 region. You need to add the appropriate KMS permissions to your role's policy.

  • DC
    8 months ago

    Here is the role's JSON: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::910286192445:role/*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:DescribeKey", "kms:CreateGrant", "kms:RetireGrant" ], "Resource": "arn:aws:kms:us-west-2:910286192445:key/mrk-6dae29119b094afaa3b9ed67c781ab3c" }, { "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "arn:aws:kms:us-west-2:910286192445:key/mrk-6dae29119b094afaa3b9ed67c781ab3c", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "rds:DescribeDBSnapshots", "rds:CopyDBSnapshot", "rds:DeleteDBSnapshot", "rds:CrossRegionCommunication", "lambda:ListFunctions", "lambda:CreateFunction", "access-analyzer:ListPolicyGenerations"

  • DC
    8 months ago

    Continued... "access-analyzer:ListPolicyGenerations" ], "Resource": [ "*" ] } ] }

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content