Clouformation Restore Aurora Postgres From Snapshot Access Denied APIDataApi


I 'm tryng to restore an encrypted aurora cluster from a snapshot stored in my backup vault . Here my cloudformation template that i use to create and then to restore it

Cluster: Type: AWS::RDS::DBCluster Properties: CopyTagsToSnapshot: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",true] DBClusterIdentifier: !Join ['-', [!Ref Env, !Ref Project, 'cluster']] DBSubnetGroupName: !Ref DBSubnetGroup Engine: !Ref Engine EngineVersion: !Ref EngineVersion KmsKeyId: !Ref KMSKey MasterUsername: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",!Ref Username] ManageMasterUserPassword: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",true] MasterUserSecret: KmsKeyId: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",!Ref KMSKey] BackupRetentionPeriod: 1 PreferredBackupWindow: "01:00-04:00" PreferredMaintenanceWindow: "sun:04:00-sun:05:00" EnableHttpEndpoint: true DBClusterParameterGroupName: !Ref RDSDBClusterParameterGroup DeletionProtection: true SnapshotIdentifier: !If [IsUseDBSnapshot, !Ref DBSnapshotName, !Ref "AWS::NoValue"] StorageEncrypted: !If [IsUseDBSnapshot, !Ref "AWS::NoValue", true] VpcSecurityGroupIds: - !Ref RDSInstanceSG StorageType: aurora # EnableCloudwatchLogsExports: # - postgresql Tags: - Key: Name Value: !Join ['-', [!Ref Env, !Ref Project, 'cluster']] - Key: backup Value: daily DeletionPolicy: Delete UpdateReplacePolicy: Retain

AURORA: Type: 'AWS::RDS::DBInstance' Properties: DBInstanceIdentifier: !Join ['-', [!Ref Env, !Ref Project, 'aurora']] AutoMinorVersionUpgrade: false Engine: !Ref Engine EngineVersion: !Ref EngineVersion DBParameterGroupName: !Ref RDSDBParameterGroup EnablePerformanceInsights: true PerformanceInsightsKMSKeyId: !Ref KMSKey PerformanceInsightsRetentionPeriod: !Ref PerformanceInsightsRetentionPeriod DBClusterIdentifier: !Ref Cluster DBInstanceClass: !Ref DBInstanceClass CACertificateIdentifier: !Ref CACertificateIdentifier Tags: - Key: Name Value: !Join ['-', [!Ref Env, !Ref Project, 'aurora']]
- Key: backup Value: daily DeletionPolicy: "Snapshot" UpdateReplacePolicy: "Snapshot"

Every time i run the cloudformation template stack rollback with error:

Resource handler returned message: "Access Denied to API Version: APIDataApi (Service: Rds, Status Code: 400, Request ID: ff80cc9f-cd5f-4b0c-bfbb-1cae406a5027)" (RequestToken: 40fbfa19-262d-dde7-7149-dd4668f2c25e, HandlerErrorCode: InvalidRequest)

I tried to trace request with cloudtrail but there are no requests with data id. I don't understand what means Access Denied to API Version: APIDataApi

No issues if i manually restore using aws RDS Console

2 Answers
Accepted Answer


I thought it was related to enabling Aurora Serverless's DataAPI with "EnableHttpEndpoint: true".
Please try commenting out this setting and then restoring it.

profile picture
answered 25 days ago

The error can also appear if the HTTP Data API is not (yet) available in your target-region. Especially for the new serverless v2.


profile picture
answered 5 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions