FLR or Copy to S3 with Exception: could not assume role
Issues:
When doing file level recovery(FLR) or copy to S3 operation in the same account, N2WS might need to assume its own role to generate a token for the worker, this could lead to the below error
ERROR: get_instance_role_temp_credentials(aws_utils.py:1086) Failed to creating temp credentials for instance role (account: General1, user Admin). Error: User: arn:aws:sts::862967128348:assumed-role/MyCPMRole/i-0ecdce71be1f610a9 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::862967128348:role/MyCPMRole
ERROR: task_to_dict(backup_copy_manager.py:82) Exception occurred
Traceback (most recent call last):
File "./cpmserver/cpm/backup_copy/backup_copy_manager.py", line 80, in task_to_dict
File "./cpmserver/cpm/backup_copy/s3_copy.py", line 1102, in backup_copy_task_to_dict
File "./cpmserver/cpm/backup_copy/copy_to_s3_common.py", line 74, in account_credentials_to_dict
Exception: could not assume role
Solution:
Due to AWS recent announcement about changing the IAM role trust policy behavior(https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior), You will need update the role to allow it to assume itself.
1. Go to IAM -> Role -> Trust relationships
2. Update the json to allow the role to assume itself, for example:
Before:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"}]}
After:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"},{"Effect": "Allow","Principal": {"AWS": "arn:aws:iam::862967128348:role/MyCPMRole"},"Action": "sts:AssumeRole"}]}
Note: you need to update the red with the account number and the role name
Related Articles
Permission check may fail with an error "Could not assume role"
Issue: Permission check may fail with this error message: ERROR: get_assume_role_credentials(aws_utils.py:1337) Could not assume role arn arn:<AWS account ARN:RoleName> from account <CPM Account> (<CPM user>), reason User arn:<AWS account ARN:IAM ...Copy to S3 fails after upgrade to 4.2.2
Issue: Backup of snapshots to S3 bucket is failing after upgrade from 4.1 to 4.2.2 Solution: One possible reason for such an issue is the change in default behavior. In 4.2.2 we introduced the option to launch a worker with a IAM role attached to it. ...N2WS 3.1b/3.2.x - Very slow copy to S3 Bucket
Issue summary You might face very slow speed for the copy to S3 operation due to EBS API timeouts. Please see below troubleshooting and additional performance suggestions Troubleshooting The most common issue with copy to S3 speed is timeout to the ...How to add an additional AWS account to CPM for Backup or DR
When adding an additional AWS account to CPM for Backup or DR, there are two ways to grant CPM access to the account: Authentication: Assume Role or IAM User "CPM Instance IAM role" can only access the account the CPM server is running in and cannot ...N2WS-21963 - Copy to S3 fails with Failed to stop processor(s)
Issue: Copy to S3 is failing with following error ERROR: add_error(segment_handler.py:322) copy of md table of segment 1 of volume vol-12345678, instance i-0987654321, backup 123 fail : Failed to stop processor(s): not all blocks were processed ...