EFS - cross account tag scan may fail with Error: Invalid IAM role ARN
When adding EFS to a policy via a tag, it may fail with one of the following errors:
(tag for example: efstesting+vault=n2ws+exp_opt=D+exp_opt_val=30+role_arn=arn:aws:iam::12345678:role/CPM)
- Critical Error - Can't update EFS to backup targets. Error: Invalid IAM role ARN arn:aws:iam::12345678:role/test-n2ws-role
- Critical Error Can't add new EFS to backup targets. Error: Invalid IAM role ARN arn:aws:iam::031673727321:role/sr-n2ws-serverrole
To resolve this you need to make sure that the role has trust relation to the backup service and assuming role:
for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678:role/CPM"
},
"Action": "sts:AssumeRole"
}
]
}
you also need to make sure that the role in the target account has the permission to the aws backup and CPM role:
Related Articles
Scan tag fails with The security token included in the request is invalid
Issue: When doing scan tag for for a region that requires opt-in (region that needs enabling in AWS, ap-southeast-4 for example) and using N2WS Account with assume role, both source and target account need to have the region enabled. Failing to do ...
Permission check may fail with an error "Could not assume role"
Issue: Permission check may fail with this error message: ERROR: get_assume_role_credentials(aws_utils.py:1337) Could not assume role arn arn:<AWS account ARN:RoleName> from account <CPM Account> (<CPM user>), reason User arn:<AWS account ARN:IAM ...
Cross-Account and Cross-Region DR of an encrypted RDS database may fail
If cross-region and cross-account backup of an encrypted RDS database is successful, but fails in the cross-region cross-account DR copy, you may see the following error in the cpm logs: ERROR: start_copy_region(dr_rds.py:381) RDS DR copy_snapshot ...
N2WS-22672 - Tag scan fails with error "list index out of range"
Issue: Tag scan fails with the following error in cpm_scan.log log Traceback (most recent call last): File "./cpmserver/cpm/backup_tag.py", line 358, in scan_for_aws_resources File "./cpmserver/cpm/aws_utils.py", line 3100, in ...
Cross account DR of EFS may fail with error: Error: EFS DR, backup fs-xxxxxxxx missing matching vault name on target region US West (Oregon) (original vault: Default)
Problem: When doing a DR copy of EFS file systems across regions the following error may occur: Error: EFS DR, backup fs-ea2d99a2 missing matching vault name on target region US West (N. California) (original vault: Default) Resolution: EFS Backup ...