Complete a 3 Question Survey and Earn a re:Post Badge
Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
当我尝试将快照从 Amazon RDS for MySQL 导出到 Amazon S3 时,为什么会收到错误?
当我将快照从 Amazon Relational Database Service (Amazon RDS) for MySQL 实例导出到 Amazon Simple Storage Service (Amazon S3) 存储桶时,我收到了错误或该选项不可用。
简短描述
由于以下原因,将数据库快照数据从 Amazon RDS 导出到 Amazon S3 可能会失败:
- AWS Identity and Access Management (IAM) 角色和策略配置错误
- AWS Key Management Service (AWS KMS) 密钥检查失败
- 导出任务卡在“正在启动”状态
- 拒绝访问错误
- KMSKeyNotAccessibleFault
- 表上的权限问题
- IAM 角色不存在
解决方法
**注意:**如果您在运行 AWS 命令行界面 (AWS CLI) 命令时收到错误,请参阅 AWS CLI 错误故障排除。此外,确保您使用的是最新版本的 AWS CLI。
IAM 角色和策略配置错误
如果您的 IAM 角色没有将快照从 Amazon RDS for MySQL 实例导出到 Amazon S3 的权限,则您会收到以下错误:
"An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:GetBucketLocation on the S3 bucket my_bucket_name" OR "An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:DeleteObject on the S3 bucket my_bucket_name" OR "An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:PutObject on the S3 bucket my_bucket_name" OR "An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:ListBucket on the S3 bucket my_bucket_name" OR "An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:GetObject on the S3 bucket my_bucket_name."
要将快照导出到 Amazon S3,您的 IAM 角色必须具有以下操作的权限:
- s3:PutObject
- s3:DeleteObject
- s3:GetObject
- s3:ListBucket
- s3:GetBucketLocation
以下是允许这些操作的 IAM 策略示例:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ExportPolicy", "Effect": "Allow", "Action": [ "s3:PutObject*", "s3:ListBucket", "s3:GetObject*", "s3:DeleteObject*", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::s3_bucket_name", "arn:aws:s3:::s3_bucket_name/export/*" ] } ] }
AWS KMS 密钥检查失败
如果在导出快照时 AWS KMS 密钥被停用或删除,则您会收到以下错误: “KMS keys check failed.Please check the credentials on your KMS key and try again”(KMS 密钥检查失败。请检查您的 KMS 密钥上的凭证并重试)。
要解决此问题,请确保 AWS KMS 控制台中存在用于导出快照的 AWS KMS 密钥。AWS KMS 密钥状态必须显示为“已启用”。
导出任务卡在“正在启动”状态
将 Amazon RDS for MySQL 数据库快照导出到 Amazon S3 所需的时间取决于数据库的大小和类型。导出任务会恢复和扩展整个数据库,然后再将数据提取到 Amazon S3。在此阶段,导出任务将显示“正在启动”状态。当任务将数据导出到 Amazon S3 时,状态将更改为“正在进行”。如果导出任务成功,则状态会指示任务已完成。如果导出任务过程存在问题,则状态会指示任务失败。
如果您的 IAM 角色缺少所需的权限,则当您将 AWS Lambda 与 Amazon API Gateway 结合使用时,您会收到以下错误:
"An error occurred (AccessDenied) when calling the StartExportTask operation: User: arn:aws:sts::1234567890:assumed-role/user/rds_lambda is not authorized to perform: rds:StartExportTask"
要解决此问题,请允许对 rds:StartExportTask 的写入权限。您必须具有 StartExportTask 操作的访问权限:
"Effect": "Allow", "Action": "rds:StartExportTask", "Resource": "*"
如果您的 IAM 角色没有调用 StartExportTask 操作的权限,则您会收到以下错误:
"An error occurred (AccessDenied) when calling the StartExportTask operation: User: arn:aws:sts::1234567890:assumed-role/user/rds_lambda is not authorized to perform: iam:PassRole on Resource ,iam role arn."
要解决此错误,请向用户授予权限以将角色传递给 AWS 服务:
{ "Effect": "Allow", "Action": [ "iam:GetRole", "iam:PassRole" ], "Resource": "arn:aws:iam::1234567890:role/role_name" }
KMSKeyNotAccessibleFault
如果无法通过快照导出机制访问 AWS KMS 密钥或 IAM 角色,则您会收到以下错误:
"An error occurred (KMSKeyNotAccessibleFault) when calling the StartExportTask operation: The specified KMS key <key_id> does not exist, is not enabled or you do not have permissions to access it."
要解决 Amazon RDS 中的 KMSKeyNotAccessibleFault 错误,请参阅设置对 Amazon S3 存储桶的访问权限。
要解决 Amazon Aurora 中的 KMSKeyNotAccessibleFault 错误,请参阅使用跨账户 AWS KMS 密钥。
表上的权限问题
如果您没有访问 Amazon RDS 中表的权限,则您会收到以下错误:
“PERMISSIONS_DO_NOT_EXIST error stating that (n) tables were skipped”(PERMISSIONS_DO_NOT_EXIST 错误,指出跳过了 n 个表)
要解决此问题,请在连接到 PostgreSQL 数据库后运行以下命令:
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema_name TO superuser_name;
IAM 角色不存在
如果您的 IAM 角色的信任策略中未指定正确的信任关系,则您会收到以下错误:
“The Principal export.rds.amazonaws.com isn't allowed to assume the IAM role arn:aws:iam::1234567890:role/iam_role or the IAM role arn:aws:iam::1234567890:role/iam_role doesn't exist”(不允许主体 export.rds.amazonaws.com 代入 IAM 角色或 IAM 角色 arn:aws:iam::1234567890:role/iam_role 不存在)。
要解决此问题,请确保信任关系在 IAM 策略中指定“export.rds.amazonaws.com”而不是“rds.amazonaws.com”,如以下示例所示:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "export.rds.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": {} } ] }