Insufficient privilege when running AWS Backup start_copy_job fumction

Question

I'm trying to start a copy job to copy RDS snapshot from one backup vault to another backup vault in diferent region using lambda function but getting error with this message:

An error occurred (AccessDeniedException) when calling the StartCopyJob operation: Insufficient privileges to perform this action

function call is like this-

        result =conn.start_copy_job(RecoveryPointArn='my-arn',
            SourceBackupVaultName='my-vault',
            DestinationBackupVaultArn='my-dest-vault-arn',
            IamRoleArn='AWSBackupDefaultServiceRole')

Following permissions assigned to lambda role-

All resources   
Allow: backup:*
Allow: backup:CopyFromBackupVault
arn:aws:backup:*:*:backup-vault:*   
Allow: backup:DescribeBackupVault
Allow: backup:CopyIntoBackupVault

Could someone explain what I'm missing here?

The lambda function doesn't have the permission to perform `StartCopyJob`. Please share the lambda role. — brushtakopo, Nov 04 '22 at 14:42
As mentioned, the Lambda function itself needs permission to run `StartCopyJob`. The `AWSBackupDefaultServiceRole` isn't in play here until the AWS Backup job starts and AWS Backup assumes that role. The thing (Lambda in this case) triggering this backup job still needs permission to actually trigger the backup job. — Mark B, Nov 04 '22 at 14:44
Following permission assigned to lambda-All resources Allow: backup:* Allow: backup:CopyFromBackupVault arn:aws:backup:*:*:backup-vault:* Allow: backup:DescribeBackupVault Allow: backup:CopyIntoBackupVault — NewGuy, Nov 04 '22 at 15:02
source backup vault has following policies -{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow xxxx to copy into CrossAccountSource", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::xxxx:root" }, "Action": "backup:CopyIntoBackupVault", "Resource": "*" } ] } — NewGuy, Nov 04 '22 at 15:14
Looking at this policy, I can see that `AWSBackupDefaultServiceRole` is not given the permission to act on it. In your backup vault you can add a permission to Allow role level access to a Backup vault. Then you edit the role with the one you mentioned `AWSBackupDefaultServiceRole` — brushtakopo, Nov 04 '22 at 15:25
Thanks.I attached following policy to source vault but still getting the same error{ "Sid": "statement ID", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::xxxx:role/service-role/AWSBackupDefaultServiceRole" }, "Action": [ "backup:DescribeBackupVault", "backup:CopyFromBackupVault", "backup:StartBackupJob", "backup:StartCopyJob", "backup:ListRecoveryPointsByBackupVault" ], "Resource": "*" } — NewGuy, Nov 04 '22 at 15:58
ok.. What happens if you execute the lambda code just as a normal python script from your PC? Do you get the same issue? — brushtakopo, Nov 04 '22 at 16:07
This is not about running the aws cli, it is about running the python script locally; — brushtakopo, Nov 07 '22 at 12:46

NewGuy · Answer 1 · 2023-03-30T15:02:06.487

-1

I need to provide full arn of role AWSBackupDefaultServiceRole like

arn:aws:iam::12345678:role/AWSBackupDefaultServiceRole

    result =conn.start_copy_job(RecoveryPointArn='my-arn',
        SourceBackupVaultName='my-vault',
        DestinationBackupVaultArn='my-dest-vault-arn',
        IamRoleArn='arn:aws:iam::12345678:role/AWSBackupDefaultServiceRole')

edited Mar 30 '23 at 15:02

answered Jan 26 '23 at 09:43

NewGuy

49
1
9

This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. - [From Review](/review/late-answers/33712083) – Jeremie Jan 30 '23 at 19:58

Insufficient privilege when running AWS Backup start_copy_job fumction

1 Answers1