Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Cannot find permissions for: rds:DescribeDBSnapshots, rds:CopyDBSnapshot, rds:DeleteDBSnapshot when creating Role.
Hi re:Post,
Thank you for your time and help!
I'm trying to set up a role for a Lambda function to copy snapshots.
From a previous question/answer regarding this
I was given instructions:
" Create an IAM role for your Lambda function with permissions for:
rds:DescribeDBSnapshots
rds:CopyDBSnapshot
rds:DeleteDBSnapshot
"
However, when going through that "Create Role" workflow, I do not find those permissions listed. Where are they?
I'm at the "Create Role" workflow, which has (3) steps, I'm not finding these permissions/roles listed at the 2nd step, "Add permissions":
- rds:DescribeDBSnapshots
- rds:CopyDBSnapshot
- rds:DeleteDBSnapshot
I think I'm missing something!
Please advise.
Thank you for your time and help!
Best Regards,
Donald
- Language
- English
- Newest
- Most votes
- Most comments
When creating an IAM role for a Lambda function to copy RDS snapshots, you won't find individual permissions like rds:DescribeDBSnapshots directly in the visual permission selector. Instead, you need to use AWS managed policies or create a custom policy.
Here's how to add these permissions:
- In the "Create role" workflow, after selecting Lambda as the trusted entity, you have a few options:
- Search for and add the "AmazonRDSFullAccess" managed policy (this grants more permissions than needed)
- Or click on "Create policy" to define a custom policy with just the permissions you need
- If creating a custom policy, choose the JSON editor and add a policy like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBSnapshots",
"rds:CopyDBSnapshot",
"rds:DeleteDBSnapshot"
],
"Resource": "*"
}
]
}
- For cross-region snapshot copying, you'll also need the
rds:CrossRegionCommunicationpermission, which is included in the service-linked IAM role that RDS uses.
After creating the custom policy, you can attach it to your Lambda role. This approach gives your Lambda function the precise permissions needed to manage RDS snapshots without granting excessive access.
Sources
Copying a DB snapshot for Amazon RDS - Amazon Relational Database Service
AWSSupport-ShareRDSSnapshot - AWS Systems Manager Automation runbook reference
Regarding:
" For cross-region snapshot copying, you'll also need the rds:CrossRegionCommunication permission, which is included in the service-linked IAM role that RDS uses. "
I added that permission to the list permissions in "Actions":
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:DescribeDBSnapshots", "rds:CopyDBSnapshot", "rds:DeleteDBSnapshot", "rds:CrossRegionCommunication" ], "Resource": [ "*" ] } ] }
Relevant content
- asked 10 months ago
