I 'm tryng to restore an encrypted aurora cluster from a snapshot stored in my backup vault . Here my cloudformation template that i use to create and then to restore it
Cluster:
Type: AWS::RDS::DBCluster
Properties:
CopyTagsToSnapshot: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",true]
DBClusterIdentifier: !Join ['-', [!Ref Env, !Ref Project, 'cluster']]
DBSubnetGroupName: !Ref DBSubnetGroup
Engine: !Ref Engine
EngineVersion: !Ref EngineVersion
KmsKeyId: !Ref KMSKey
MasterUsername: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",!Ref Username]
ManageMasterUserPassword: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",true]
MasterUserSecret:
KmsKeyId: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",!Ref KMSKey]
BackupRetentionPeriod: 1
PreferredBackupWindow: "01:00-04:00"
PreferredMaintenanceWindow: "sun:04:00-sun:05:00"
EnableHttpEndpoint: true
DBClusterParameterGroupName: !Ref RDSDBClusterParameterGroup
DeletionProtection: true
SnapshotIdentifier: !If [IsUseDBSnapshot, !Ref DBSnapshotName, !Ref "AWS::NoValue"]
StorageEncrypted: !If [IsUseDBSnapshot, !Ref "AWS::NoValue", true]
VpcSecurityGroupIds:
- !Ref RDSInstanceSG
StorageType: aurora
# EnableCloudwatchLogsExports:
# - postgresql
Tags:
- Key: Name
Value: !Join ['-', [!Ref Env, !Ref Project, 'cluster']]
- Key: backup
Value: daily
DeletionPolicy: Delete
UpdateReplacePolicy: Retain
AURORA:
Type: 'AWS::RDS::DBInstance'
Properties:
DBInstanceIdentifier: !Join ['-', [!Ref Env, !Ref Project, 'aurora']]
AutoMinorVersionUpgrade: false
Engine: !Ref Engine
EngineVersion: !Ref EngineVersion
DBParameterGroupName: !Ref RDSDBParameterGroup
EnablePerformanceInsights: true
PerformanceInsightsKMSKeyId: !Ref KMSKey
PerformanceInsightsRetentionPeriod: !Ref PerformanceInsightsRetentionPeriod
DBClusterIdentifier: !Ref Cluster
DBInstanceClass: !Ref DBInstanceClass
CACertificateIdentifier: !Ref CACertificateIdentifier
Tags:
- Key: Name
Value: !Join ['-', [!Ref Env, !Ref Project, 'aurora']]
- Key: backup
Value: daily
DeletionPolicy: "Snapshot"
UpdateReplacePolicy: "Snapshot"
Every time i run the cloudformation template stack rollback with error:
Resource handler returned message: "Access Denied to API Version: APIDataApi (Service: Rds, Status Code: 400, Request ID: ff80cc9f-cd5f-4b0c-bfbb-1cae406a5027)" (RequestToken: 40fbfa19-262d-dde7-7149-dd4668f2c25e, HandlerErrorCode: InvalidRequest)
I tried to trace request with cloudtrail but there are no requests with data id.
I don't understand what means Access Denied to API Version: APIDataApi
No issues if i manually restore using aws RDS Console
Thank you so much