EFS - cross account tag scan may fail with Error: Invalid IAM role ARN
When adding EFS to a policy via a tag, it may fail with one of the following errors:
(tag for example: efstesting+vault=n2ws+exp_opt=D+exp_opt_val=30+role_arn=arn:aws:iam::12345678:role/CPM)
- Critical Error - Can't update EFS to backup targets. Error: Invalid IAM role ARN arn:aws:iam::12345678:role/test-n2ws-role
- Critical Error Can't add new EFS to backup targets. Error: Invalid IAM role ARN arn:aws:iam::031673727321:role/sr-n2ws-serverrole
To resolve this you need to make sure that the role has trust relation to the backup service and assuming role:
for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678:role/CPM"
},
"Action": "sts:AssumeRole"
}
]
}
you also need to make sure that the role in the target account has the permission to the aws backup and CPM role:
Tip: one useful tool you can use, is the AWS policy simulator which can help you check if the role is created fine : https://policysim.aws.amazon.com/
Related Articles
Scan tag fails with The security token included in the request is invalid
Issue: When doing scan tag for for a region that requires opt-in (region that needs enabling in AWS, ap-southeast-4 for example) and using N2WS Account with assume role, both source and target account need to have the region enabled. Failing to do ...Permission check may fail with an error "Could not assume role"
Issue: Permission check may fail with this error message: ERROR: get_assume_role_credentials(aws_utils.py:1337) Could not assume role arn arn:<AWS account ARN:RoleName> from account <CPM Account> (<CPM user>), reason User arn:<AWS account ARN:IAM ...Cross-Account and Cross-Region DR of an encrypted RDS database may fail
If cross-region and cross-account backup of an encrypted RDS database is successful, but fails in the cross-region cross-account DR copy, you may see the following error in the cpm logs: ERROR: start_copy_region(dr_rds.py:381) RDS DR copy_snapshot ...N2WS-22672 - Tag scan fails with error "list index out of range"
Issue: Tag scan fails with the following error in cpm_scan.log log Traceback (most recent call last): File "./cpmserver/cpm/backup_tag.py", line 358, in scan_for_aws_resources File "./cpmserver/cpm/aws_utils.py", line 3100, in ...CPM may fail to set the "cpm_deleted" tag to RDS Snapshots
Symptom: When performing a cross-account DR Copy of RDS snapshots, using a DR account with “Allow Deleting Snapshots” as False, the RDS snapshots that have exceeded the retention policy, will not have the “cpm_deleted” tag. You will also see the ...