By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Configure the backup in New Instance

1

When executing the generation of a backup in a new RDS instance (SQL Server Web Edition) through the command: exec msdb.dbo.rds_backup_database @source_db_name='nome do banco', @s3_arn_to_backup_to=@ARQUIVO, @overwrite_s3_backup_file=1

Returns the message:

  • Task has been aborted
  • Access Denied

It already has two instances that run the backup daily. For the new instance I configured it as follows:

  1. An Amazon S3 bucket to store the backup files
  2. Same VPC security group as existing ones.
  3. Same IAM role as above with sqlNativeBackup, AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForRestores.
  4. Option groups with same Core Engine Version and SQLSERVER_BACKUP_RESTORE option.

What could cause the Access Denied error?

Topics
Storage
Tags
AWS Backup
Language
English
rePost-User-5238715
asked 9 months ago187 views
1 Answer
0

Hello,

I'm Seungwon, the support engineer answering you with RDS issue.

I can only offer responses based on general possibilities.

Because, I can’t access your resource.

Your understanding in this matter is greatly appreciated.

From your question, I think you need to check trust relationship.

When you create an IAM role, you attach a trust relationship and a permissions policy.

The trust relationship allows RDS to assume this role. The permissions policy defines the actions this role can perform.

For the native backup and restore feature, use trust relationships and permissions policies similar to the examples in this section.

In the following example, we use the service principal name rds.amazonaws.com as an alias for all service accounts.

In the other examples, we specify an Amazon Resource Name (ARN) to identify another account, user, or role that we're granting access to in the trust policy.

Example trust relationship with global condition context key for native backup and restore

{

"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "Service": "rds.amazonaws.com"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "StringEquals": {
                "aws:SourceArn": [
                    "arn:aws:rds:Region:my_account_ID:db:db_instance_identifier",
                    "arn:aws:rds:Region:my_account_ID:og:option_group_name"
                ]
            }
        }
    }
]

}

[+] Importing and exporting SQL Server databases using native backup and restore - Manually creating an IAM role for native backup and restore - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.html#SQLServer.Procedural.Importing.Native.Enabling.IAM

I hope that you found this information useful and the services mentioned above are suitable for your requirements and specific use-cases.

If further precise analysis and root cause identification are required, I recommend considering enrollment in an AWS Support Plan. This will ensure that an appropriate engineer is assigned to your case, enabling you to obtain the desired resolution. [+] AWS Support Plan - https://aws.amazon.com/premiumsupport/plans/?nc1=h_ls

profile pictureAWS
SUPPORT ENGINEER
SeungWon_J
answered 9 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • celio_gregorutti
    8 months ago

    Hi Seungwon,

    Using your instructions, I was able to resolve the problem. Actually the added sqlNativeBackup permission policy was from another instance. After adjustment, backups were created successfully!

    Thank you very much!

    Celio

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content