Encrypted Snapshot may fail DR with the “Given key ID is not accessible” error
Problem: DR copy may fail with errors like “Given key ID is not accessible”
The
following error may be printed in the CPM Backup log and the CPM Server log:
Error - Volume DR copy snapshot failed for region US East
(Ohio) (in DR account), snapshot snap-11111111111111111 (status: error). Error: Given key ID is not
accessible
The following error may be
printed in the Amazon CloudTrail
log in JSON Format:
User: arn:aws:sts::222222222222:assumed-role/aaaa.CPM-Service-Backups-Role/CPM-assumed-prod
is not authorized to perform: kms:CreateGrant on resource: arn:aws:kms:us-east-2:123456789012:key/111abcde-f123-12g3-1234-1hijklmn2o34
This is a sample of how this event
would look in CloudTrail:
Cause: This may be caused by user/role
permissions policy lacking the required permissions, and/or this user not being
listed as a “key user” for that key.
Solution: Correct the user/role permissions
policy and/or add the user as a “key user” to that key.
Related Articles
DR of an encrypted snapshot may fail with the “Not Authorized to use key” error
Problem: DR copy may fail with errors like “Not authorized to perform” or “not authorized to use key” Example in CPM backup log: 10-24-18 10:11:04 - Error - Volume DR copy snapshot failed for region US East (N. Virginia), snapshot ...Cross-Account and Cross-Region DR of an encrypted RDS database may fail
If cross-region and cross-account backup of an encrypted RDS database is successful, but fails in the cross-region cross-account DR copy, you may see the following error in the cpm logs: ERROR: start_copy_region(dr_rds.py:381) RDS DR copy_snapshot ...Recovery of an encrypted volume may fail: "Not authorized to use key"
Issue: Performing a cross account recovery of an encrypted volume, or of an instance containing an encrypted volume may not work if the target account cannot access the encryption key from the source account. Error may appear in the CPM Server log as ...Cross-account exploring of encrypted snapshots may fail
Exploring of cross-account encrypted snapshot may fail with error: Reason: Encrypted snapshots with EBS default key cannot be shared (OperationNotPermitted) If you receive the error above, please note that exploring a cross-account snapshot with ...File level restore may fail with the "Failed adding share permission" error
File level restore may fail with the "Failed adding share permission" error: ERROR: share_snapshot(.\cpmserver\cpm\aws_utils.py:265) Failed adding share permission to snapshot snap-1234567890abcdef (original volume: vol-abcdef1234567890) Failed. ...