EFS - cross account tag scan may fail with Error: Invalid IAM role ARN
When adding EFS to a policy via a tag, it may fail with one of the following errors:
(tag for example: efstesting+vault=n2ws+exp_opt=D+exp_opt_val=30+role_arn=arn:aws:iam::12345678:role/CPM)
- Critical Error - Can't update EFS to backup targets. Error: Invalid IAM role ARN arn:aws:iam::12345678:role/test-n2ws-role
- Critical Error Can't add new EFS to backup targets. Error: Invalid IAM role ARN arn:aws:iam::031673727321:role/sr-n2ws-serverrole
To resolve this you need to make sure that the role has trust relation to the backup service and assuming role:
for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678:role/CPM"
},
"Action": "sts:AssumeRole"
}
]
}
you also need to make sure that the role in the target account has the permission to the aws backup and CPM role: