【发布时间】:2022-11-04 16:22:52
【问题描述】:
我正在尝试使用 AWS CDK 创建备份计划、规则和保管库。部署应用程序后,我在 cloudformation 控制台中收到以下错误。
Resource handler returned message: "Insufficient privileges to perform this action. (Service: Backup, Status Code: 403, Request ID: xxxxxxx)" (RequestToken: xxxxxxxxx, HandlerErrorCode: GeneralServiceException)
我的 CDK 引导角色肯定可以访问备份.请参阅下面的政策文件。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "cdk",
"Effect": "Allow",
"Action": [
"lambda:*",
"logs:*",
"serverlessrepo:*",
"servicediscovery:*",
"ssm:*",
"cloudformation:*",
"kms:*",
"iam:*",
"sns:*",
"dynamodb:*",
"codepipeline:*",
"cloudwatch:*",
"events:*",
"acm:*",
"sqs:*",
"backup:*"
],
"Resource": "*"
}
]
}
以下是我的 CDK 代码 sn-ps:
备份规则
ruleName: 'myTestRuleName',
completionWindow: Duration.hours(1),
startWindow: Duration.hours(1),
scheduleExpression: events.Schedule.cron({
day: '*',
hour: '2'
}),
deleteAfter: Duration.days(90),
备份库我尝试不使用加密密钥,也尝试使用通过 AWS 备份 Web 界面创建的密钥。没有工作
new backup.BackupVault(this, `${id}-instance`, {
backupVaultName: props.backupVaultName,
// encryptionKey: this.key
})
后备方案
new BackupPlan(scope, `${id}-instance`, {
backupPlanName: context.backupPlanName,
backupPlanRules: context.backupPlanRules,
// backupVault: context.backupVault
});
备份选择我也尝试过不创建角色并让 AWS CDK 创建和使用默认角色。 注意:我还尝试在没有资源选择的情况下创建计划、规则和保管库,以确保问题不会发生在资源选择边。
const role = new iam.Role(this, 'Backup Access Role', { assumedBy: new iam.ServicePrincipal('backup.amazonaws.com') });
const managedPolicy = iam.ManagedPolicy.fromManagedPolicyArn(this, 'AWSBackupServiceRolePolicyForBackup', 'arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup');
role.addManagedPolicy(managedPolicy);
plan.backupPlan.addSelection('selection',
{
resources: [
BackupResource.fromDynamoDbTable(MyTable)
],
//role: role
}
)
``
【问题讨论】:
-
检查此帖子以获取 cdk 权限stackoverflow.com/a/72397104/13126651
标签: amazon-web-services aws-cdk aws-backup