Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

list_recovery_points_by_resource doesn't work with RDS ARN

See original GitHub issue

Hello,

I found a bug when I try to list recovery points of a RDS resource. API return : An error occurred (AccessDeniedException) when calling the ListRecoveryPointsByResource operation: Insufficient privileges to perform this action.

Tested on python 3.8 lambda with boto3 The simplified code :

import boto3

resourceArn = "arn:aws:rds:eu-west-1:11111111111:db:database-1"

client = boto3.client('backup')

response = client.list_recovery_points_by_resource(ResourceArn=resourceArn)

That’s work on EC2 ARN.

And I have tested with my AWS CLI “aws-cli/2.1.30 Python/3.8.8”, I think CLI use botocore instead of boto3 and the result is not the same but I got an other issue. I can list-recovery-points-by-resource of a RDS ARN but if I had --max-results parameter I got a 403 too.

An error occurred (AccessDeniedException) when calling the ListRecoveryPointsByResource operation: Insufficient privileges to perform this action.

My CLI profile have Administrator access…

Thanks, Ronan

Issue Analytics

State:
Created 3 years ago
Comments:19 (10 by maintainers)

Top GitHub Comments

3reactions

damianaratacommented, Apr 6, 2021

Hi, I resolve this issue by adding rds:describeDBClusterSnapshots on the lambda policy. Of course, this is not a solution. I hope this helps clarify the situation.

1reaction

stobrien89commented, Apr 9, 2021

Hi @tcheksa62,

Glad you got it working! I did some additional testing (using the JavaScript SDK) with the MaxResults parameter and received the same AccessDeniedException when providing a value less than 20— This appears to be an issue with backup parameter validation.

The backup team is working to fix the occurrence of the AccessDeniedException and I just made them aware of the issue with the validation of the MaxResults parameter today— I’ll provide any updates I receive along the way!

Top Results From Across the Web

ListRecoveryPointsByResource - AWS Backup

Returns detailed information about all the recovery points of the type specified by a resource Amazon Resource Name (ARN).

Working with Amazon Resource Names (ARNs) in Amazon RDS

Constructing an ARN for Amazon RDS. Resources created in Amazon Web Services are each uniquely identified with an Amazon Resource Name (ARN). You...

Using K10 with AWS EBS — K10 5.5.1 documentation

While K10 will transparently work with this setup, there are a couple of things ... "arn:aws:iam::<accountID>:role/service-role/AWSBackupDefaultServiceRole" ...

BackupClient | aws-sdk-swift

Resources: “arn:aws:ec2:region:account-id:volume/volume-id” ... Do not include sensitive data, such as passport numbers, in the name of a backup vault.

AWS CloudFormation create RDS cluster and add its ARN to a ...

The problem is that AWS::RDS::DBCluster does not support Fn::GetAtt ARN , and, since RDS add that random string at the end of the...