start-backup-job issue with permission

Question

I hope someone could help me with this. I am experiencing a weird issue while using AWS cli for starting on-demand backup. I already have some backup jobs running for EC2 instances. However, for some automation i wanted to have on-demand backups as well. For said reason, when i am trying to backup using cli i am getting error.

An error occurred (AccessDeniedException) when calling the StartBackupJob operation: Insufficient privileges to perform this action.

The command i am using is;

aws backup start-backup-job --backup-vault-name primary --resource-arn arn:aws:ec2:eu-west-1:123456789:volume/vol-0abcdef1234 --iam-role-arn arn:aws:iam::123456789:role/service-role/AWSBackupDefaultServiceRole --region eu-west-1

The user i am using here has administrator access to the account.

Can someone please help me? I am out of options here.

Answer 1

As you can assign AccessPolicy to the Backup Vault check if you have any policy assigned to the vault you are trying to access. Both should be allowing IAM Policy with your admin user as well as the Resource-Based Policy assigned to your Backup Vault

Setting Access Policies on Backup Vaults and Recovery Points

I did not have any policy assigned to the Backup Vault and was able to create the backup, Plus I also have Admin access like you.

$ aws backup start-backup-job --backup-vault-name primary \
--resource-arn arn:aws:ec2:us-east-1:1234567890:volume/vol-04a514599941274c3 \
--iam-role-arn arn:aws:iam::1234567890:role/service-role/AWSBackupDefaultServiceRole --region us-east-1

{
    "BackupJobId": "5435950f-2be1-4177-92dc-7bsddsdd",
    "CreationDate": "2021-02-04T16:25:03.370000+01:00"
}

How can I use the AWS CLI to create an AWS Backup plan or run an on-demand job?

Last but not least check your environment if the credentials you think should be used are actually getting used by using sts get-caller-identity