EFS - cross account tag scan may fail with Error: Invalid IAM role ARN
When adding EFS to a policy via a tag, it may fail with one of the following errors:
(tag for example: efstesting+vault=n2ws+exp_opt=D+exp_opt_val=30+role_arn=arn:aws:iam::12345678:role/CPM)
- Critical Error - Can't update EFS to backup targets. Error: Invalid IAM role ARN arn:aws:iam::12345678:role/test-n2ws-role
- Critical Error Can't add new EFS to backup targets. Error: Invalid IAM role ARN arn:aws:iam::031673727321:role/sr-n2ws-serverrole
To resolve this you need to make sure that the role has trust relation to the backup service and assuming role:
for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678:role/CPM"
},
"Action": "sts:AssumeRole"
}
]
}
you also need to make sure that the role in the target account has the permission to the aws backup and CPM role:
Tip: one useful tool you can use, is the AWS policy simulator which can help you check if the role is created fine : https://policysim.aws.amazon.com/
Related Articles
Scan tag fails with The security token included in the request is invalid
Issue: When doing scan tag for for a region that requires opt-in (region that needs enabling in AWS, ap-southeast-4 for example) and using N2WS Account with assume role, both source and target account need to have the region enabled. Failing to do ...Permission check may fail with an error "Could not assume role"
Issue: Permission check may fail with this error message: ERROR: get_assume_role_credentials(aws_utils.py:1337) Could not assume role arn arn:<AWS account ARN:RoleName> from account <CPM Account> (<CPM user>), reason User arn:<AWS account ARN:IAM ...Tag scan may fail after upgrade to v2.6.0 with the "KeyError: 'config_args'" error, when a resource is tagged with the "no-backup" tag value
Tag scan may fail after upgrade to v2.6.0 with the "KeyError: 'config_args'" error, when a resource is tagged with the "no-backup" tag value The following errors may be printed in CPM Agent logs: ERROR: scan_tags_request(agentapi_requests.py:415) ...How to setup cross account/cross region recovery in CPM 2.x
Background This document assumes that the main server running Cloud Protection Manager (CPM) is setup according to the minimum-Security requirements document at this link. ...Cross-Account and Cross-Region DR of an encrypted RDS database may fail
If cross-region and cross-account backup of an encrypted RDS database is successful, but fails in the cross-region cross-account DR copy, you may see the following error in the cpm logs: ERROR: start_copy_region(dr_rds.py:381) RDS DR copy_snapshot ...