Why do I receive an error when I try to export a snapshot to Amazon S3 from Amazon RDS for MySQL?
When I export a snapshot to my Amazon Simple Storage Service (Amazon S3) bucket from my Amazon Relational Database Service (Amazon RDS) for MySQL instance, I see an error or the option is unavailable.
Short description
Exporting DB snapshot data to Amazon S3 for Amazon RDS can fail for the following reasons:
- AWS Identity and Access Management (IAM) role and policy misconfiguration
- AWS Key Management Service (AWS KMS) key check failure
- Export task stuck in "STARTING"
- Access Denied error
- KMSKeyNotAccessibleFault
- Permission issues on table
- IAM role doesn't exist
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
IAM role and policy misconfiguration
If your IAM role doesn't have permissions to export a snapshot from your Amazon RDS for MySQL instance to Amazon S3, then you receive the following errors:
"An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:GetBucketLocation on the S3 bucket my_bucket_name" OR "An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:DeleteObject on the S3 bucket my_bucket_name" OR "An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:PutObject on the S3 bucket my_bucket_name" OR "An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:ListBucket on the S3 bucket my_bucket_name" OR "An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:GetObject on the S3 bucket my_bucket_name."
To export a snapshot to Amazon S3, your IAM role must have permissions for the following actions:
- s3:PutObject
- s3:DeleteObject
- s3:GetObject
- s3:ListBucket
- s3:GetBucketLocation
The following is an IAM policy example that allows these actions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ExportPolicy", "Effect": "Allow", "Action": [ "s3:PutObject*", "s3:ListBucket", "s3:GetObject*", "s3:DeleteObject*", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::s3_bucket_name", "arn:aws:s3:::s3_bucket_name/export/*" ] } ] }
AWS KMS key check failure
If your AWS KMS key was deactivated or deleted while you were exporting a snapshot, then you receive the following error: "KMS keys check failed. Please check the credentials on your KMS key and try again."
To resolve this issue, make sure that the AWS KMS key used to export snapshots exists in the AWS KMS console. The AWS KMS key status must indicate "Enabled".
Export task is stuck in "STARTING" status
The time your Amazon RDS for MySQL DB snapshot takes to export to Amazon S3 depends on the database size and type. The export task restores and scales the entire database before extracting the data to Amazon S3. During this stage, your export task displays the "STARTING" status. When your task exports the data to Amazon S3, the status changes to "In progress". If your export task is successful, then the status indicates that the task is complete. If there are issues with your export task process, then the status indicates that the task failed.
If your IAM role is missing the required permissions and you're using AWS Lambda with Amazon API Gateway, then you receive the following error:
"An error occurred (AccessDenied) when calling the StartExportTask operation: User: arn:aws:sts::1234567890:assumed-role/user/rds_lambda is not authorized to perform: rds:StartExportTask"
To resolve this issue, allow Write access to rds:StartExportTask. You must have access to the StartExportTask action:
"Effect": "Allow", "Action": "rds:StartExportTask", "Resource": "*"
If your IAM role doesn't have permission to call the StartExportTask operation, then you receive the following error:
"An error occurred (AccessDenied) when calling the StartExportTask operation: User: arn:aws:sts::1234567890:assumed-role/user/rds_lambda is not authorized to perform: iam:PassRole on Resource ,iam role arn."
To resolve this error, grant user permissions to pass a role to an AWS service:
{ "Effect": "Allow", "Action": [ "iam:GetRole", "iam:PassRole" ], "Resource": "arn:aws:iam::1234567890:role/role_name" }
KMSKeyNotAccessibleFault
If your AWS KMS key or IAM role isn't accessible from snapshot export mechanism, then you receive the following error:
"An error occurred (KMSKeyNotAccessibleFault) when calling the StartExportTask operation: The specified KMS key <key_id> does not exist, is not enabled or you do not have permissions to access it."
To resolve the KMSKeyNotAccessibleFault error in Amazon RDS, see Setting up access to an Amazon S3 bucket.
To resolve the KMSKeyNotAccessibleFault error in Amazon Aurora, see Using a cross-account AWS KMS key.
Permission issues on table
If you don't have permissions to access a table in Amazon RDS, then you receive the following error:
"PERMISSIONS_DO_NOT_EXIST error stating that (n) tables were skipped"
To resolve this issue, run the following command after connecting to a PostgreSQL database:
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema_name TO superuser_name;
IAM role doesn't exist
If the proper trust relationship isn't specified in your IAM role's trust policy, then you receive the following error:
"The Principal export.rds.amazonaws.com isn't allowed to assume the IAM role arn:aws:iam::1234567890:role/iam_role or the IAM role arn:aws:iam::1234567890:role/iam_role doesn't exist."
To resolve this issue, make sure that the trust relationship specifies "export.rds.amazonaws.com" instead of "rds.amazonaws.com" in your IAM policy like the following example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "export.rds.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 3 Jahren
- AWS OFFICIALAktualisiert vor 3 Jahren
- AWS OFFICIALAktualisiert vor 3 Jahren
- Warum dauert es so lange, einen Snapshot meiner Amazon RDS für MySQL-DB-Instance wiederherzustellen?AWS OFFICIALAktualisiert vor 3 Jahren