Copy-RDSDBSnapshot : PreSignedUrl could not be authenticated

[cflex]

Trying to make a Copy-RDSDBSnapshot request to copy an encrypted RDS instance snapshot from us-east-1 to us-west-2 using AWS Powershell tools version 3.3.553.0.

I am using an IAM instance role with the appropriate permissions as I am able to perform the same operation successfully on another RDS instance snapshot that is not encrypted.

The command I am running is the following Copy-RDSDBSnapshot -Region $secondaryRegion -SourceRegion $primaryRegion -SourceDBSnapshotIdentifier $snapshot.DBSnapshotArn -TargetDBSnapshotIdentifier $snapshotName -KmsKeyId $kmsKeyId

The error message I am receiving is

Which is very similar to other issues for other AWS SDK. Here is a link to one of them

https://github.com/aws/aws-sdk-php/issues/1462

[matteo-prosperi]

Because this cmdlet is a shallow wrap of the underlying SDK method, this is most likely an issue with the AWS SDK for .NET. We are investigating.

[boblodgett]

I tried to reproduce this problem with version 3.3.553.0 of both AWSPowerShell and AWSPowerShell.NetCore using the following command:

Copy-RDSDBSnapshot -Region "us-west-2" -SourceRegion "us-east-1" -SourceDBSnapshotIdentifier "arn:aws:rds:us-east-1:.....:snapshot:myeastsnapshot" -TargetDBSnapshotIdentifier "MyeastCopiedsnapshot4" -KmsKeyId "b91b7b3a-955f-4fd2-8326-c59cf877c260"

Which worked with the following output: AllocatedStorage : 20 AvailabilityZone : DBInstanceIdentifier : database-1 DbiResourceId : DBSnapshotArn : arn:aws:rds:us-west-2:........:snapshot:myeastcopiedsnapshot4 DBSnapshotIdentifier : myeastcopiedsnapshot4 Encrypted : True Engine : sqlserver-ex EngineVersion : 14.00.3049.1.v1 IAMDatabaseAuthenticationEnabled : False InstanceCreateTime : 8/8/2019 2:40:10 PM Iops : 0 KmsKeyId : arn:aws:kms:us-west-2:..........:key/b91b7b3a-955f-4fd2-8326-c59cf877c260 LicenseModel : license-included MasterUsername : admin OptionGroupName : PercentProgress : 0 Port : 1433 ProcessorFeatures : {} SnapshotCreateTime : 1/1/0001 12:00:00 AM SnapshotType : manual SourceDBSnapshotIdentifier : arn:aws:rds:us-east-1:..........:snapshot:myeastsnapshot SourceRegion : us-east-1 Status : pending StorageType : gp2 TdeCredentialArn : Timezone : VpcId :

I am unable to reproduce the problem at this time. Can you provide me a script that creates an environment from scratch that can reproduce the problem?

[cflex]

Is the source RDS snapshot encrypted in your test? As I am able to copy an unencrypted RDS snapshot to an encrypted one cross regions. I am just not able to copy an encrypted RDS snapshot to a different region.

[boblodgett]

Yes, I made sure the source snapshot was encrypted. Source and copied snapshot are encrypted. Shown in the output above -- "Encrypted : True"

[cflex]

Here are the commands I ran to reproduce the issue

New-RDSDBInstance -DBInstanceIdentifier "Test" -AllocatedStorage 10 -AvailabilityZone "us-east-1a" -DBInstanceClass "db.t3.micro" -DBSubnetGroupName "[subnet group name]" -Engine "mysql" -KmsKeyId "[KMS KEY ID]" -StorageEncrypted $true -StorageType "gp2" -MasterUsername "[master username]" -MasterUserPassword "[master password]"

New-RDSDBSnapshot -DBSnapshotIdentifier "Test-Snap" -DBInstanceIdentifier "Test"

Copy-RDSDBSnapshot -Region "us-west-2" -SourceRegion "us-east-1" -SourceDBSnapshotIdentifier "arn:aws:rds:us-east-1:[AWS Account]:snapshot:rds:[snapshot name]" -TargetDBSnapshotIdentifier "Test-Snap" -KmsKeyId "[KMS KEY ID]"

My IAM role has the following RDS access

rds:CreateDBSnapshot rds:CreateDBInstance rds:CopyDBSnapshot rds:DeleteDBSnapshot rds:ListTagsForResource rds:RebootDBInstance rds:ModifyDBInstance rds:DescribeDBSnapshots rds:DescribeDBInstances

No cloud trail authorization failure events logged.

powershell module version

[cflex]

Does this provide the information you need to reproduce?

[matteo-prosperi]

Hello, I tried the following, which is just minimal changes from your provided sample:

$instanceName = 'Test4'
$snapshotName = 'Test-Snap'

$sourceRegion = 'us-east-1'
$destinationRegion = 'us-west-2'

$sourceKey = New-KMSKey -Region $sourceRegion 
$destinationKey = New-KMSKey -Region $destinationRegion

New-RDSDBInstance -DBInstanceIdentifier $instanceName -AllocatedStorage 10 -DBInstanceClass 'db.t3.micro' -Engine 'mysql' -KmsKeyId $sourceKey.KeyId -StorageEncrypted $true -StorageType 'gp2' -MasterUsername 'masterUser' -MasterUserPassword 'master1234' -Region $sourceRegion -AvailabilityZone 'us-east-1a'

$snapshot = New-RDSDBSnapshot -DBSnapshotIdentifier $snapshotName -DBInstanceIdentifier $instanceName -Region $sourceRegion

Copy-RDSDBSnapshot -Region $destinationRegion -SourceRegion $sourceRegion -SourceDBSnapshotIdentifier $snapshot.DBSnapshotArn -TargetDBSnapshotIdentifier $snapshotName -KmsKeyId $destinationKey.KeyId

The whole sequence of commands worked.

I am running these with full admin privileges on my AWS account.

You should be able to replicate the commands above with no changes against your account (provided that you have privileges).

I am using

AWS Tools for Windows PowerShell
Version 3.3.563.1

[cflex]

Thanks for the additional information, this appears to have been a condition issue that I had on my IAM policy that was preventing the copy of encrypted snapshots.