Closed LijieZhou closed 5 years ago
You can't share a snapshot that has been encrypted using the default AWS KMS encryption key of the AWS account that shared the snapshot. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html
I fixed the problem by changing one method from the takeSnapshot lambda function in the source account assuming the source account does auto-backup. The idea is to copy the automated backup snapshots with a given KMS key (instead of the default). I will submit a PR just in case someone also needs this feature.
So correct me if I am wrong: the snapshot created by copying the DB instance are encrypted by the default KMS key. Since create_db_snapshot
does not take KMS as a parameter, I wind up using copy_db_snapshot
instead. I chose to copy the latest automated snapshots (sort by timestamp) and pass the KMS key in that way.
Hey,
I ran into an issue when trying to copy the encrypted snapshots to the secondary account. The snapshots in the primary account are created using the default KMS key, however, that is not allowed to share to the secondary account by AWS for security reason. Any idea how to fix that?