I am creating backups of my DynamoDB tables using AWS Backup in my source account A and storing the recovery point ARNs in a vault named X in source account A .
I need to copy and restore the backup in another account named B. I am following the steps below, but my process is failing with the error:
software.amazon.awssdk.services.backup.model.BackupException: Insufficient privileges to perform this action. (Service: Backup, Status Code: 403)
Steps to recreate:
- Create backup and store the backup in vault X in account A.
- Give permission to target account B to perform action "CopyFromBackupVault" using the vault access policy for vault X of source account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account_B_id:root"
},
"Action": "backup:CopyFromBackupVault",
"Resource": "*"
}
]
- Give permission to source account A to perform action "CopyIntoBackupVault" using the vault access policy for vault Y of target account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::account_A_id:root",
"arn:aws:iam::account_B_id:root"]
},
"Action": "backup:CopyIntoBackupVault",
"Resource": "*"
}
]
}
After these steps from target account B, I am initiating the copy job but it is failing with error with error > software.amazon.awssdk.services.backup.model.BackupException: Insufficient privileges to perform this action. (Service: Backup, Status Code: 403).
Restore backup (Not able to reach this step)
Please note, the role I am using has all the permissions required to perform backup actions. I reckon the issue lies in the vault access policies . Please help. Thank you!
I have tried every step mentioned in the AWS documentation that I could find. I have checked with ChatGPT but nothing resolved my issue.
I am expecting my backup to be copied and then restored without any issue.
