Clouformation Restore Aurora Postgres From Snapshot Access Denied APIDataApi

1

I 'm tryng to restore an encrypted aurora cluster from a snapshot stored in my backup vault . Here my cloudformation template that i use to create and then to restore it

Cluster:
    Type: AWS::RDS::DBCluster
    Properties:
      CopyTagsToSnapshot: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",true]
      DBClusterIdentifier: !Join ['-', [!Ref Env, !Ref Project, 'cluster']]
      DBSubnetGroupName: !Ref DBSubnetGroup
      Engine: !Ref Engine
      EngineVersion: !Ref EngineVersion
      KmsKeyId: !Ref KMSKey
      MasterUsername: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",!Ref Username]
      ManageMasterUserPassword: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",true]
      MasterUserSecret:
        KmsKeyId: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",!Ref KMSKey]
      BackupRetentionPeriod: 1
      PreferredBackupWindow: "01:00-04:00"
      PreferredMaintenanceWindow: "sun:04:00-sun:05:00"
      EnableHttpEndpoint: true 
      DBClusterParameterGroupName: !Ref RDSDBClusterParameterGroup
      DeletionProtection: true
      SnapshotIdentifier: !If [IsUseDBSnapshot, !Ref DBSnapshotName, !Ref "AWS::NoValue"]
      StorageEncrypted:  !If [IsUseDBSnapshot, !Ref "AWS::NoValue", true]
      VpcSecurityGroupIds: 
        - !Ref RDSInstanceSG
      StorageType: aurora
      # EnableCloudwatchLogsExports:
      #   - postgresql
      Tags:
        - Key: Name
          Value: !Join ['-', [!Ref Env, !Ref Project, 'cluster']]
        - Key: backup
          Value: daily
    DeletionPolicy: Delete
    UpdateReplacePolicy: Retain

  AURORA:
    Type: 'AWS::RDS::DBInstance'
    Properties:
      DBInstanceIdentifier: !Join ['-', [!Ref Env, !Ref Project, 'aurora']]
      AutoMinorVersionUpgrade: false
      Engine: !Ref Engine
      EngineVersion: !Ref EngineVersion
      DBParameterGroupName: !Ref RDSDBParameterGroup
      EnablePerformanceInsights: true
      PerformanceInsightsKMSKeyId: !Ref KMSKey
      PerformanceInsightsRetentionPeriod: !Ref PerformanceInsightsRetentionPeriod
      DBClusterIdentifier: !Ref Cluster
      DBInstanceClass: !Ref DBInstanceClass 
      CACertificateIdentifier: !Ref CACertificateIdentifier
      Tags:
        - Key: Name
          Value: !Join ['-', [!Ref Env, !Ref Project, 'aurora']]       
        - Key: backup
          Value: daily
    DeletionPolicy: "Snapshot"
    UpdateReplacePolicy: "Snapshot"

Every time i run the cloudformation template stack rollback with error:

Resource handler returned message: "Access Denied to API Version: APIDataApi (Service: Rds, Status Code: 400, Request ID: ff80cc9f-cd5f-4b0c-bfbb-1cae406a5027)" (RequestToken: 40fbfa19-262d-dde7-7149-dd4668f2c25e, HandlerErrorCode: InvalidRequest)

I tried to trace request with cloudtrail but there are no requests with data id. I don't understand what means Access Denied to API Version: APIDataApi

No issues if i manually restore using aws RDS Console

2 Answers
1
Accepted Answer

Hello.

I thought it was related to enabling Aurora Serverless's DataAPI with "EnableHttpEndpoint: true".
Please try commenting out this setting and then restoring it.

profile picture
EXPERT
answered a year ago
1

The error can also appear if the HTTP Data API is not (yet) available in your target-region. Especially for the new serverless v2.

see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.Aurora_Fea_Regions_DB-eng.Feature.Data_API.html#Concepts.Aurora_Fea_Regions_DB-eng.Feature.Data_API.apg

profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions