EFS backup may fail with the following error: Error - failed starting EFS fs-1234abcd backup (vault: Default, iam role: AWSBackupDefaultServiceRole), policy Dailyjob_Policy. Exception: IAM Role arn:aws:iam::############:role/service-role/AWSBackupDefaultServiceRole cannot be assumed by AWS Backup
Problem:
EFS backups may fail with the following error:
Error - failed starting EFS fs-1234abcd backup (vault: Default, iam role: AWSBackupDefaultServiceRole), policy Dailyjob_Policy. Exception: IAM Role arn:aws:iam::############:role/service-role/AWSBackupDefaultServiceRole cannot be assumed by AWS Backup (InvalidParameterValueException)
Resolution:
The issue is the lack of or incorrect configuration of the Role:
Creating IAM Roles in AWS
A default or custom IAM role is necessary for AWS to perform EFS operations on behalf of N2WS.
To create a default IAM Role:
1. Go to the AWS Backup Service:
2. Click the Create an on-demand backup button.
- For Resource type, select EBS.
- For Volume ID, select any EBS volume to backup.
- Select Default IAM Role.
3. Click the Create on-demand backup button. Ignore the error provided by AWS.
Verify that the following role was created on AWS IAM Service:
To create a custom IAM Role:
1. Go to AWS IAM Service:
2. Click the Create role button.
3. Select AWS Backup and click Next: Permissions.
4. Search for BackupService.
5. Select the following AWS managed policies:
- AWSBackupServiceRolePolicyForBackup
- AWSBackupServiceRolePolicyForRestores
6. Click Next: Tags and then click Next: Review.
7. Enter a Role name and click Create role.
For more details on how to configure N2WS Backup and Recovery for EFS see the CPM User Guide:
Related Articles
EFS - cross account tag scan may fail with Error: Invalid IAM role ARN
When adding EFS to a policy via a tag, it may fail with one of the following errors: (tag for example: efstesting+vault=n2ws+exp_opt=D+exp_opt_val=30+role_arn=arn:aws:iam::12345678:role/CPM) Critical Error - Can't update EFS to backup targets. Error: ...Cross account DR of EFS may fail with error: Error: EFS DR, backup fs-xxxxxxxx missing matching vault name on target region US West (Oregon) (original vault: Default)
Problem: When doing a DR copy of EFS file systems across regions the following error may occur: Error: EFS DR, backup fs-ea2d99a2 missing matching vault name on target region US West (N. California) (original vault: Default) Resolution: EFS Backup ...Cross-Region DR RDS backup may fail with "Copy failed due to an AWS limitation regarding default encryption key” error
RDS DR backup of encrypted snapshots between different regions may fail with the following error in the Backup log: Error - RDS DR, copy snapshot failed (to DR account) due to an AWS limitation regarding default encryption key (source US East (Ohio), ...FLR or Copy to S3 with Exception: could not assume role
Issues: When doing file level recovery(FLR) or copy to S3 operation in the same account, N2WS might need to assume its own role to generate a token for the worker, this could lead to the below error ERROR: ...Copy of RDS to DR target account may fail with Reason code: Unable to create the resource. Verify that you have permission to create service linked role.
DR copy job may fail with the following error: Error: RDS DR copy failed for region EU Paris (any region can apply) with reason code: Unable to create the resource. Verify that you have permission to create service-linked role. Otherwise, wait and ...