Clouformation Restore Aurora Postgres From Snapshot Access Denied APIDataApi


I 'm tryng to restore an encrypted aurora cluster from a snapshot stored in my backup vault . Here my cloudformation template that i use to create and then to restore it

Cluster: Type: AWS::RDS::DBCluster Properties: CopyTagsToSnapshot: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",true] DBClusterIdentifier: !Join ['-', [!Ref Env, !Ref Project, 'cluster']] DBSubnetGroupName: !Ref DBSubnetGroup Engine: !Ref Engine EngineVersion: !Ref EngineVersion KmsKeyId: !Ref KMSKey MasterUsername: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",!Ref Username] ManageMasterUserPassword: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",true] MasterUserSecret: KmsKeyId: !If [IsUseDBSnapshot, !Ref "AWS::NoValue",!Ref KMSKey] BackupRetentionPeriod: 1 PreferredBackupWindow: "01:00-04:00" PreferredMaintenanceWindow: "sun:04:00-sun:05:00" EnableHttpEndpoint: true DBClusterParameterGroupName: !Ref RDSDBClusterParameterGroup DeletionProtection: true SnapshotIdentifier: !If [IsUseDBSnapshot, !Ref DBSnapshotName, !Ref "AWS::NoValue"] StorageEncrypted: !If [IsUseDBSnapshot, !Ref "AWS::NoValue", true] VpcSecurityGroupIds: - !Ref RDSInstanceSG StorageType: aurora # EnableCloudwatchLogsExports: # - postgresql Tags: - Key: Name Value: !Join ['-', [!Ref Env, !Ref Project, 'cluster']] - Key: backup Value: daily DeletionPolicy: Delete UpdateReplacePolicy: Retain

AURORA: Type: 'AWS::RDS::DBInstance' Properties: DBInstanceIdentifier: !Join ['-', [!Ref Env, !Ref Project, 'aurora']] AutoMinorVersionUpgrade: false Engine: !Ref Engine EngineVersion: !Ref EngineVersion DBParameterGroupName: !Ref RDSDBParameterGroup EnablePerformanceInsights: true PerformanceInsightsKMSKeyId: !Ref KMSKey PerformanceInsightsRetentionPeriod: !Ref PerformanceInsightsRetentionPeriod DBClusterIdentifier: !Ref Cluster DBInstanceClass: !Ref DBInstanceClass CACertificateIdentifier: !Ref CACertificateIdentifier Tags: - Key: Name Value: !Join ['-', [!Ref Env, !Ref Project, 'aurora']]
- Key: backup Value: daily DeletionPolicy: "Snapshot" UpdateReplacePolicy: "Snapshot"

Every time i run the cloudformation template stack rollback with error:

Resource handler returned message: "Access Denied to API Version: APIDataApi (Service: Rds, Status Code: 400, Request ID: ff80cc9f-cd5f-4b0c-bfbb-1cae406a5027)" (RequestToken: 40fbfa19-262d-dde7-7149-dd4668f2c25e, HandlerErrorCode: InvalidRequest)

I tried to trace request with cloudtrail but there are no requests with data id. I don't understand what means Access Denied to API Version: APIDataApi

No issues if i manually restore using aws RDS Console

2 Answers
Accepted Answer


I thought it was related to enabling Aurora Serverless's DataAPI with "EnableHttpEndpoint: true".
Please try commenting out this setting and then restoring it.

profile picture
answered 2 months ago

The error can also appear if the HTTP Data API is not (yet) available in your target-region. Especially for the new serverless v2.


profile picture
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions