使用AWS re:Post即您表示您同意 AWS re:Post 使用条款

我正在尝试将快照从 Amazon RDS MySQL 导出到 Amazon S3,但收到了错误。为什么会发生这种情况?

3 分钟阅读
0

我正在尝试将快照从 Amazon Relational Database Service(Amazon RDS)MySQL 实例导出到 Amazon Simple Storage Service(Amazon S3)存储桶。但是,我看到一个错误或者该选项不可用。

简短描述

由于以下原因,将数据库快照从 Amazon RDS 导出到 Amazon S3 可能会失败:

  • AWS Identity Access Management (IAM) 角色和策略配置不当
  • AWS KMS 密钥检查故障
  • 导出任务卡在“正在启动”状态
  • 访问遭拒错误
  • KMSKeyNotAccessibleFault
  • 表权限问题
  • IAM 角色不存在

解决方法

**注意:**如果您在运行 AWS 命令行界面(AWS CLI)命令时收到错误,请确保您运行的是最新版本的 AWS CLI

AWS Identity Access Management(IAM)角色和策略配置不当

如果您的 IAM 角色不具有将快照从 Amazon RDS MySQL 实例导出到 Amazon S3 的权限,则您将收到以下错误:

An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:GetBucketLocation on the S3 bucket my_bucket_name OR
An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:DeleteObject on the S3 bucket my_bucket_name OR
An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:PutObject on the S3 bucket my_bucket_name OR
An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:ListBucket on the S3 bucket my_bucket_name OR
An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:GetObject on the S3 bucket my_bucket_name.

要成功将快照导出到 Amazon S3,您的 IAM 角色必须拥有执行以下五项操作的适当权限:

  • s3:PutObject
  • s3:DeleteObject
  • s3:GetObject
  • s3:ListBucket
  • s3:GetBucketLocation

以下是允许这五项操作的示例 IAM 策略(JSON 格式):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExportPolicy",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject*",
        "s3:ListBucket",
        "s3:GetObject*",
        "s3:DeleteObject*",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::s3_bucket_name",
        "arn:aws:s3:::s3_bucket_name/export/*"
      ]
    }
  ]
}

AWS KMS 密钥检查故障

如果您在导出快照时停用或删除了 AWS KMS 密钥,则会收到以下错误:

Error: KMS keys check failed. Please check the credentials on your KMS key and try again.

要解决此问题,请确保用于导出快照的 AWS KMS 密钥存在于 AWS KMS 控制台中。AWS KMS 密钥状态必须为 Enabled(已启用)。

导出任务卡在 STARTING(正在启动)状态

将 Amazon RDS for MySQL 数据库快照导出到 Amazon S3 所花费的时间取决于数据库的大小和类型。导出任务会在将数据提取到 Amazon S3 之前还原和扩展整个数据库。在此阶段,您的导出任务会显示 STARTING(正在启动)状态。当您的任务开始将数据导出到 Amazon S3 时,状态将更改为 In progress(正在进行)。如果导出任务成功,则状态会指明任务已完成。如果导出任务流程存在问题,则状态会指明任务失败。

如果您的 IAM 角色缺少所需的权限,并且您将 AWS Lambda 与 Amazon API Gateway 配合使用,则会收到以下错误:

An error occurred (AccessDenied) when calling the StartExportTask operation: User: arn:aws:sts::1234567890:assumed-role/user/rds_lambda is not authorized to perform: rds:StartExportTask

要解决此问题,请允许对 rds:StartExportTask写入权限。但是,您必须有访问 StartExportTask 操作的权限:

"Effect": "Allow",
"Action": "rds:StartExportTask",
"Resource": "*"

如果您的 IAM 角色没有调用 StartExportTask 操作的权限,则您会收到以下错误:

An error occurred (AccessDenied) when calling the StartExportTask operation: User: arn:aws:sts::1234567890:assumed-role/user/rds_lambda is not authorized to perform: iam:PassRole on Resource ,iam role arn.

要解决此错误,请确保授予用户向 AWS 服务传递角色的权限

{
    "Effect": "Allow",
    "Action": [
      "iam:GetRole",
      "iam:PassRole"
    ],
    "Resource": "arn:aws:iam::1234567890:role/role_name"
}

KMSKeyNotAccessibleFault

如果无法从快照导出机制访问您的 AWS KMS 密钥或 IAM 角色,则会收到以下错误:

An error occurred (KMSKeyNotAccessibleFault) when calling the StartExportTask operation: The specified KMS key <key_id> does not exist, is not enabled or you do not have permissions to access it.

要解决 Amazon RDS 中的 KMSKeyNotAccessibleFault 错误,请参阅设置对 Amazon S3 存储桶的访问权限

要解决 Amazon Aurora 中的 KMSKeyNotAccessibleFault 错误,请参阅使用跨账户 AWS KMS 密钥

表权限问题

如果您没有访问 Amazon RDS 中的表的适当权限,则会收到以下错误消息:

Error: PERMISSIONS_DO_NOT_EXIST error stating that (n) tables were skipped

要解决此问题,请在连接到 PostgreSQL 数据库后运行以下命令:

GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema_name TO superuser_name;

IAM 角色不存在

如果 IAM 角色的信任策略没有指定合适的信任关系,则您会收到以下错误:

Error: The Principal export.rds.amazonaws.com isn't allowed to assume the IAM role arn:aws:iam::1234567890:role/iam_role or the IAM role arn:aws:iam::1234567890:role/iam_role doesn't exist.

要解决此问题,请确保在以下 IAM policy 中将信任关系指定为“export.rds.amazonaws.com”,而不是“rds.amazonaws.com”:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "export.rds.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

AWS 官方
AWS 官方已更新 2 年前