How do I troubleshoot failed Amazon EC2 restore jobs using AWS Backup?

Last updated: 2022-01-12

I'm using AWS Backup to restore an Amazon Elastic Compute Cloud (Amazon EC2) instance from a recovery point in AWS Backup. However, I get an encoded error message that says "You are not authorized to perform this operation. Please consult the permissions associated with your AWS Backup role(s), and refer to the AWS Backup documentation for more details."

Resolution

This error typically occurs under the following conditions:

  • The original Amazon EC2 instance has an instance profile attached to it.
  • You try to restore the instance on the AWS Backup console using the setting Default role for Restore role and Restore with Original IAM Role for Instance IAM role.

To resolve this issue, use either of the following options based on your use case.

Use the Proceed with no IAM role option

  • When you run the restore job for the instance in the AWS Backup console, select Proceed with no IAM role for Instance IAM role. With this option, you can restore the instance, and the restored instance doesn't have an instance profile attached to it. Later, you can attach the instance profile to this restored instance.

Use the Restore with Original IAM role option

When you run the restore job, you can select Restore with Original IAM Role for Instance IAM role after attaching additional permissions to your Restore role:

1.    If you know which role you used for the restore, then skip to step 2. Otherwise, run the decode-authorization-message command using the AWS Command Line Interface (AWS CLI) to find the role that was used to restore the instance. If you're using a Linux-based operating system, then you can combine this command with the jq tool to get a viewer-friendly output:

# aws sts decode-authorization-message --encoded-message (encoded error message) --query DecodedMessage --output text | jq '.'

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

You get an output similar to the following:

{
  "allowed": false,

…..

  "context": {
    "principal": {
      "id": "AROAAAAAAAAAA:AWSBackup-AWSBackupDefaultServiceRole",
      "arn": "arn:aws:sts::111122223333:assumed-role/AWSBackupDefaultServiceRole/AWSBackup-AWSBackupDefaultServiceRole"
    },
    "action": "iam:PassRole",
    "resource": "arn:aws:iam::111122223333:role/AmazonSSMRoleForInstancesQuickSetup",
    "conditions": {
      "items": [

…..      

}

The example output shows that the Restore role is same as AWSBackupDefaultServiceRole. The Restore role must have the iam:PassRole permission so that it can interact with the role AmazonSSMRoleForInstancesQuickSetup, which is required to restore the instance.

2.    Open the IAM console, and create the following policy: 

Note: Replace 111122223333 with your AWS account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::111122223333:role/*",
            "Effect": "Allow"
        }
    ]
}

Then, attach this policy to your Restore role.

3.    After you update the IAM role, re-run the restore job.


Did this article help?


Do you need billing or technical support?