DR of an encrypted snapshot may fail with the “Not Authorized to use key” error
Example in CPM backup log:
10-24-18 10:11:04 - Error - Volume DR copy snapshot failed for region US
East (N. Virginia), snapshot snap-11111111111111111 (to DR account). Reason:
Failed adding share permission to snapshot snap-11111111111111111 (original
volume: vol-22222222222222222). Reason: Not authorized to use key arn:aws:kms:us-east-1:1234567890ab:key/ba1234567890-1234-5678-283746163517
Example from AWS CloudTrail JSON log:
This is an example of the error on the ReEncrypt operation
User: arn:aws:sts::444996954394:assumed-role/CPM-Service-Backups-Role/CPM-assumed-prod
is not authorized to perform: kms:ReEncryptFrom on resource: arn:aws:kms:us-east-1:1234567890ab:key/ba1234567890-1234-5678-283746163517
This is an example of the error on the ModifySnapshotAttribute operation
Not authorized to use key arn:aws:kms:us-east-1:1234567890ab:key/ba1234567890-1234-5678-283746163517
The user
identity is not going to be listed in the CloudTrail “errorMessage” attribute
in the example above, you will need to
look for the “userIdentity/arn” attribute to find the user identity.
Cause: This
is caused by the user/role not being listed as a “key user” for that key.
Solution: Add
this user/role as a “key user” for that key. Navigate to the KMS page on AWS and select your KMS key. Then under " key users" add the user or role.
Related Articles
Encrypted Snapshot may fail DR with the “Given key ID is not accessible” error
Problem: DR copy may fail with errors like “Given key ID is not accessible” The following error may be printed in the CPM Backup log and the CPM Server log: Error - Volume DR copy snapshot failed for region US East (Ohio) (in DR account), ...Cross-Account and Cross-Region DR of an encrypted RDS database may fail
If cross-region and cross-account backup of an encrypted RDS database is successful, but fails in the cross-region cross-account DR copy, you may see the following error in the cpm logs: ERROR: start_copy_region(dr_rds.py:381) RDS DR copy_snapshot ...Recovery of an encrypted volume may fail: "Not authorized to use key"
Issue: Performing a cross account recovery of an encrypted volume, or of an instance containing an encrypted volume may not work if the target account cannot access the encryption key from the source account. Error may appear in the CPM Server log as ...Cross-account exploring of encrypted snapshots may fail
Exploring of cross-account encrypted snapshot may fail with error: Reason: Encrypted snapshots with EBS default key cannot be shared (OperationNotPermitted) If you receive the error above, please note that exploring a cross-account snapshot with ...File level restore may fail with the "Failed adding share permission" error
File level restore may fail with the "Failed adding share permission" error: ERROR: share_snapshot(.\cpmserver\cpm\aws_utils.py:265) Failed adding share permission to snapshot snap-1234567890abcdef (original volume: vol-abcdef1234567890) Failed. ...