CODEWITHSUNDEEP
amazon-web-servicesencryptionamazon-rdsboto3aws-cli
Nirbhay Singh
Nirbhay Singh

Reputation: 409

Encrypted RDS copy failure across region in AWS CLI

I have a script that copied the unencrypted and encrypted snapshots across regions. Script is working fine with unencrypted snapshot copy but for some reason, encrypted copy is failing with an error:-

An error occurred (InvalidParameterValue) when calling the CopyDBSnapshot operation: PreSignedUrl could not be authenticated.

Here is the code that I am using to copy encrypted snapshots

aws rds copy-db-snapshot 
--source-db-snapshot-identifier $source_identifier \
--target-db-snapshot-identifier ${target_identifier} \
--kms-key-id $Enc_Key_ID\ 
--region $target_region 
--source-region $source_region \
--tags Key="owner",Value="RDS Copy Job"

All variable passed here (Except for Encryption key )is working fine with the unencrypted copy across regions.

I wonder what is going wrong.Any help and suggestion would be a great help for me. (update)

aws rds copy-db-snapshot \
--source-db-snapshot-identifier arn:aws:rds:us-west-1:717934610271:snapshot:rds:rds-snapshot‌​-name-dev-2017-12-22‌​-08-08 \
--target-db-snapshot-identifier test-rds-snapshotname \
--kms-key-id XXXXXX-XXXXXX-XXXXXX-XXXXXX \
--region us-east-1\
--source-region us-west-1 \
--tags Key="owner",Value="RDS Copy Job"

Above is the full command that is used to copy. I am using ARN to copy

Upvotes: 4

Views: 3389

Answers (3)

Ramratan Gupta
Ramratan Gupta

Reputation: 1086

Below script worked for me, the idea is if KMS default key is not created in target AWS region than use kms ID alias/aws/rds, it will create the new KMS id.

#!/bin/bash
if [[ -z $1 ]]; then
    echo "please input source region from which copy"
    exit
fi
if [[ -z $2 ]]; then
    echo "please input destination region"
    exit
fi
REGION_SOURCE=$1
REGION_DESTINATION=$2
RDS_DBSnapshotIdentifier=`/usr/bin/aws rds describe-db-snapshots --region $REGION_SOURCE --query="reverse(sort_by(DBSnapshots, &SnapshotCreateTime))[0]" | /usr/bin/jq -r '.DBSnapshotArn'`
echo "Copying RDS from $REGION_SOURCE to $REGION_DESTINATION"
TODAY_DATE=`/bin/date +"%Y-%m-%d-%H-%M-%S"`

KMS_KEY_ID=`/usr/bin/aws kms list-aliases --region $REGION_DESTINATION| /usr/bin/jq  -r '.[]' | /usr/bin/jq -r '.[] | select( .AliasName == "alias/aws/rds")' | /usr/bin/jq -r '.TargetKeyId'`
if [[ $KMS_KEY_ID == null ]]; then
   KMS_KEY_ID="alias/aws/rds"
fi

/usr/bin/aws rds copy-db-snapshot --kms-key-id $KMS_KEY_ID --source-db-snapshot-identifier $RDS_DBSnapshotIdentifier  --target-db-snapshot-identifier "RDS-COPY-${TODAY_DATE}-from-${REGION_SOURCE}-to-${REGION_DESTINATION}"  --region $REGION_DESTINATION  --source-region $REGION_SOURCE

Upvotes: 2

vivekyad4v
vivekyad4v

Reputation: 14893

I found out that --source-region parameter was necessary to provide when you copy encrypted snapshots. Here is the working CLI command - 

AWS_DEFAULT_REGION=ap-south-1
source_snapshot_arn="arn:aws:rds:ap-southeast-1:3621xxxx334:snapshot:v2db-snapshot-1"
dest_snapshot_id="v2db-snapshot-1"

aws rds copy-db-snapshot \
  --kms-key-id db-prod-kms \
  --source-region ap-southeast-1 \
  --source-db-snapshot-identifier $source_snapshot_arn \
  --target-db-snapshot-identifier $dest_snapshot_id

Working KMS key policy - 

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Allow backup to use  key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::3621xxxx8334:user/backup"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey",
                "kms:CreateGrant",
                "kms:Create*",
                "kms:Describe*",
                "kms:List*",
                "kms:Get*",
                "kms:ImportKeyMaterial",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": "*"
        }
     ]
   }

Upvotes: 1

John Hanley
John Hanley

Reputation: 81424

Specify a KMS Key that is valid in the destination region.

You can copy a snapshot that has been encrypted using an AWS KMS encryption key. If you copy an encrypted snapshot, the copy of the snapshot must also be encrypted. If you copy an encrypted snapshot within the same AWS Region, you can encrypt the copy with the same KMS encryption key as the original snapshot, or you can specify a different KMS encryption key. If you copy an encrypted snapshot across regions, you can't use the same KMS encryption key for the copy as used for the source snapshot, because KMS keys are region-specific. Instead, you must specify a KMS key valid in the destination AWS Region.

Handling Encryption

Upvotes: 5

Related Questions