Reputation: 5882
Can't copy AWS RDS DB snapshot because of key not existing or no access? (Administrator account)
I have administrator access to my AWS account and I'm trying to copy a DB snapshot that has has encryption on it. I'm specifying the key ID but it's still giving me the following error:
/opt/homebrew/lib/ruby/gems/3.0.0/gems/aws-sdk-core-3.124.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': The target KMS key [<my_key_id>] does not exist, is not enabled or you do not have permissions to access it. (Aws::RDS::Errors::KMSKeyNotAccessibleFault)
The only thing that has changed from the time it worked to the time it no longer works is me enabling encryption on the database, so now its snapshots are encrypted. As a result, I've added the kms_key_id parameter to my copy_db_snapshot method.
Here's how I'm doing this with the aws-sdk-rds gem:
client.copy_db_snapshot({
source_db_snapshot_identifier: source_db_arn,
target_db_snapshot_identifier: target_db_snapshot_identifier,
source_region: source_db_region,
kms_key_id: '<my_key_id>'
})
I don't quite fully understand this error message. The key definitely exists (I've tried just the key ID and the full ARN), and I definitely have permission. I'm using a key generated by AWS so not sure if this helps.
Upvotes: 3
Views: 3306
Answers (1)
Reputation: 2913
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/RDS/Client.html#copy_db_snapshot-instance_method
If you copy an encrypted snapshot to a different Amazon Web Services Region, then you must specify an Amazon Web Services KMS key identifier for the destination Amazon Web Services Region. KMS keys are specific to the Amazon Web Services Region that they are created in, and you can't use KMS keys from one Amazon Web Services Region in another Amazon Web Services Region.
You need to specify the KMS key id of a KMS key in the destination region. This is because the kms_key_id parameter is actually supposed to be the ID of the KMS Key used to encrypt the new snapshot copy, not your original snapshot.
Upvotes: 1
Related Questions
- Minimal KMS permissions to copy a database snapshot
- getting a local copy of an aws rds snapshot
- Amazon RDS: Restore cluster snapshot no db instance
- "1046 No Database Selected" error when copying sql dump file from EC2 to RDS database
- Permissions error creating .bak back-up of SQL Server database on Amazon RDS
- AWS::S3::Errors::AccessDenied: Access Denied when trying to do copy_to
- Unable to encrypt unencrypted RDS DB through snapshot-copy
- AWS Newly created RDS snapshot is not found
- How do i copy snaphsot of one RDS instance to another?
- Trouble restoring from Amazon RDS DB Snapshot