I'm trying to export a snapshot from Amazon RDS MySQL to Amazon S3, but I'm receiving an error. Why is this happening?

5 分的閱讀內容
0

I'm trying to export a snapshot to my Amazon Simple Storage Service (Amazon S3) bucket from my Amazon Relational Database Service (Amazon RDS) MySQL instance. However, I'm seeing an error or the option is unavailable.

Short description

Exporting a DB snapshot from Amazon RDS to Amazon S3 can fail for the following reasons:

  • AWS Identity Access Management (IAM) role and policy misconfiguration
  • AWS KMS key check failure
  • Export task is stuck in "STARTING"
  • Access Denied error
  • KMSKeyNotAccessibleFault
  • Permission issues on table
  • IAM role doesn't exist

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

AWS Identity Access Management (IAM) role and policy misconfiguration

If your IAM role doesn't have permissions to export a snapshot from your Amazon RDS MySQL instance to Amazon S3, you receive the following errors:

An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:GetBucketLocation on the S3 bucket my_bucket_name OR
An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:DeleteObject on the S3 bucket my_bucket_name OR
An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:PutObject on the S3 bucket my_bucket_name OR
An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:ListBucket on the S3 bucket my_bucket_name OR
An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:GetObject on the S3 bucket my_bucket_name.

To successfully export a snapshot to Amazon S3, your IAM role must have proper permissions for these five actions:

  • s3:PutObject
  • s3:DeleteObject
  • s3:GetObject
  • s3:ListBucket
  • s3:GetBucketLocation

Here's an example IAM policy (in JSON format) that allows these five actions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExportPolicy",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject*",
        "s3:ListBucket",
        "s3:GetObject*",
        "s3:DeleteObject*",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::s3_bucket_name",
        "arn:aws:s3:::s3_bucket_name/export/*"
      ]
    }
  ]
}

AWS KMS key check failure

If your AWS KMS key was deactivated or deleted while you were exporting a snapshot, you receive the following error:

Error: KMS keys check failed. Please check the credentials on your KMS key and try again.

To resolve this issue, make sure that the AWS KMS key used for exporting snapshots exists in the AWS KMS console. The AWS KMS key status must indicate "Enabled".

Export task is stuck in "STARTING" status

The time that it takes to export your Amazon RDS for MySQL DB snapshot to Amazon S3 depends upon both the database size and type. The export task restores and scales the entire database before extracting the data to Amazon S3. During this stage, your export task displays the "STARTING" status. When your task begins to export the data to Amazon S3, the status changes to "In progress". If your export task is successful, the status indicates that the task is complete. If there are issues with your export task process, then the status indicates that the task failed.

If your IAM role is missing the required permissions and you're using AWS Lambda with Amazon API Gateway, you receive the following error:

An error occurred (AccessDenied) when calling the StartExportTask operation: User: arn:aws:sts::1234567890:assumed-role/user/rds_lambda is not authorized to perform: rds:StartExportTask

To resolve this issue, allow Write access to rds:StartExportTask. However, you must have access to the StartExportTask action:

"Effect": "Allow",
"Action": "rds:StartExportTask",
"Resource": "*"

If your IAM role doesn't have permission to call the StartExportTask operation, then you receive the following error:

An error occurred (AccessDenied) when calling the StartExportTask operation: User: arn:aws:sts::1234567890:assumed-role/user/rds_lambda is not authorized to perform: iam:PassRole on Resource ,iam role arn.

To resolve this error, make sure to grant user permissions to pass a role to an AWS service:

{
    "Effect": "Allow",
    "Action": [
      "iam:GetRole",
      "iam:PassRole"
    ],
    "Resource": "arn:aws:iam::1234567890:role/role_name"
}

KMSKeyNotAccessibleFault

If your AWS KMS key or IAM role aren’t accessible from snapshot export mechanism, you receive the following error:

An error occurred (KMSKeyNotAccessibleFault) when calling the StartExportTask operation: The specified KMS key <key_id> does not exist, is not enabled or you do not have permissions to access it.

To resolve the KMSKeyNotAccessibleFault error in Amazon RDS, see Setting up access to an Amazon S3 bucket.

To resolve the KMSKeyNotAccessibleFault error in Amazon Aurora, see Using a cross-account AWS KMS key.

Permission issues on table

If you don't have proper permissions to access a table in Amazon RDS, you receive the following error:

Error: PERMISSIONS_DO_NOT_EXIST error stating that (n) tables were skipped

To resolve this issue, run the following command after connecting to a PostgreSQL database:

GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema_name TO superuser_name;

IAM role doesn't exist

If the proper trust relationship isn't specified in your IAM role's trust policy, then you receive the following error:

Error: The Principal export.rds.amazonaws.com isn't allowed to assume the IAM role arn:aws:iam::1234567890:role/iam_role or the IAM role arn:aws:iam::1234567890:role/iam_role doesn't exist.

To resolve this issue, make sure that the trust relationship specifies "export.rds.amazonaws.com" instead of "rds.amazonaws.com" in your IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "export.rds.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

AWS 官方
AWS 官方已更新 2 年前