I'm trying to export a snapshot from Amazon RDS MySQL to Amazon S3, but I'm receiving an error. Why is this happening?

Last updated: 2021-08-18

I'm trying to export a snapshot to my Amazon Simple Storage Service (Amazon S3) bucket from my Amazon Relational Database Service (Amazon RDS) MySQL instance. However, I'm seeing an error or the option is unavailable to me. Why is this happening, and how do I resolve this?

Short description

Exporting a DB snapshot from Amazon RDS to Amazon S3 can fail for the following reasons:

  • AWS Identity Access Management (IAM) role and policy misconfiguration
  • AWS KMS key check failure
  • Export task is stuck in "STARTING"
  • Access Denied error
  • AWS KMS key ID doesn't exist
  • Permission issues on table
  • IAM role doesn't exist

Resolution

AWS Identity Access Management (IAM) role and policy misconfiguration

If your IAM role doesn't have proper permissions to export a snapshot from your Amazon RDS MySQL instance to Amazon S3, you'll receive the following errors:

An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:GetBucketLocation on the S3 bucket my_bucket_name OR
An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:DeleteObject on the S3 bucket my_bucket_name OR
An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:PutObject on the S3 bucket my_bucket_name OR
An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:ListBucket on the S3 bucket my_bucket_name OR
An error occurred (IamRoleMissingPermissions) when calling the StartExportTask operation: The IAM Role arn:aws:iam::1234567890:role/service-role/role_name isn't authorized to call s3:GetObject on the S3 bucket my_bucket_name.

To successfully export a snapshot to Amazon S3, your IAM role must have proper permissions for these five actions:

  • s3:PutObject
  • s3:DeleteObject
  • s3:GetObject
  • s3:ListBucket
  • s3:GetBucketLocation

Here's an example IAM policy (in JSON format) that allows these five actions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExportPolicy",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject*",
        "s3:ListBucket",
        "s3:GetObject*",
        "s3:DeleteObject*",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::s3_bucket_name”,
        "arn:aws:s3:::s3_bucket_name/export/*"
      ]
    }
  ]
}

AWS KMS key check failure

If your AWS KMS key was disabled or deleted while you were exporting a snapshot, you'll receive the following error:

Error: KMS keys check failed. Please check the credentials on your KMS key and try again.

To resolve this issue, make sure that the AWS KMS key used for exporting snapshots exists in the KMS console. The AWS KMS key status must indicate "Enabled".

Export task is stuck in "STARTING" status

When you export your Amazon RDS for MySQL DB snapshot to Amazon S3, the task can take longer than usual, depending on the database size and type. The export task will restore and scale the entire database before extracting the data to Amazon S3. During this stage, your export task displays the "STARTING" status. When your task begins to export the data to Amazon S3, the status will change to "In progress". If your export task is successful, the status indicates that the task is complete. If there are issues with your export task process, the status will indicate that the task has failed.

Access Denied error

If your IAM role is missing the required permissions, and you're using AWS Lambda with Amazon API Gateway, you receive the following error:

An error occurred (AccessDenied) when calling the StartExportTask operation: User: arn:aws:sts::1234567890:assumed-role/user/rds_lambda is not authorized to perform: rds:StartExportTask

To resolve this issue, allow Write access to rds:StartExportTask.However, you must have access to the StartExportTask action.

For example:

"Effect": "Allow",
"Action": "rds:StartExportTask",
"Resource": "*"

If your IAM role doesn't have permission to call the StartExportTask operation, you receive the following error:

An error occurred (AccessDenied) when calling the StartExportTask operation: User: arn:aws:sts::1234567890:assumed-role/user/rds_lambda is not authorized to perform: iam:PassRole on Resource ,iam role arn.

To resolve this error, make sure to grant user permissions to pass a role to an AWS service:

{
    "Effect": "Allow",
    "Action": [
      "iam:GetRole",
      "iam:PassRole"
    ],
    "Resource": "arn:aws:iam::1234567890:role/role_name"
}

AWS KMS key ID doesn't exist

If your IAM role isn't authorized to access the AWS KMS key, you receive the following error:

Error: Your request to export snapshot to S3 has failed. An internal error has occurred. Please try your query again at a later time OR The KMS key key_id doest not exist, is not enabled or you do not have permissions to access it.

To resolve this error, make sure to include the following KmsKeyID actions in your KMS key policy:

GrantOperation.Encrypt
GrantOperation.Decrypt
GrantOperation.GenerateDataKey
GrantOperation.GenerateDataKeyWithoutPlaintext
GrantOperation.ReEncryptFrom
GrantOperation.ReEncryptTo
GrantOperation.CreateGrant
GrantOperation.DescribeKey
GrantOperation.RetireGrant

For example:

{
  "Effect": "Allow",
  "Action": [
     “GrantOperation.Encrypt”,
  “GrantOperation.Decrypt”,
  “GrantOperation.GenerateDataKey”,
  “GrantOperation.GenerateDataKeyWithoutPlaintext”,
  “GrantOperation.ReEncryptFrom”,
  “GrantOperation.ReEncryptTo”,
  “GrantOperation.CreateGrant”,
  “GrantOperation.DescribeKey”,
  “GrantOperation.RetireGrant”
  ],
  "Resource": "arn:aws:iam::1234567890:role/role_name"
}

Permission issues on table

If you don't have proper permissions to access a table in Amazon RDS, you receive the following error:

Error: PERMISSIONS_DO_NOT_EXIST error stating that (n) tables were skipped

To resolve this issue, run the following command after connecting to a PostgreSQL database:

GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema_name TO superuser_name;

IAM role doesn't exist

If the proper trust relationship isn't specified in your IAM role's trust policy, you receive the following error:

Error: The Principal export.rds.amazonaws.com isn't allowed to assume the IAM role arn:aws:iam::1234567890:role/iam_role or the IAM role arn:aws:iam::1234567890:role/iam_role doesn't exist.

To resolve this issue, make sure that the trust relationship specifies "export.rds.amazonaws.com” instead of “rds.amazonaws.com” in your IAM policy. For example:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Principal": {
    "Service": "export.rds.amazonaws.com"
    },
    "Action": "sts:AssumeRole",
    "Condition": {}
  }
  ]
}

Did this article help?


Do you need billing or technical support?