Importing Postgres backup to Heroku from AWS S3

[enoren5]

I’m learning how to handle Postgres instances by backing them up and restoring them on Heroku for a Django project (a small rudimentary CMS). The amount of data is a few hundred kilobytes because it's just text that I am storing in my my db. I'm practicing backups and restores just to learn for fun.

I realize this is loosely related to Python/Django, but it does fall into the general category of development / programming. I hope my post is welcome here.

I downloaded the binary data to my local machine using this particular section of the Heroku doc.

The next step was to create an AWS account, including setting up Access Keys which I located in the dashboard and entered them into my local dev environment. I named my bucket. I uploaded the binary to S3.

I’ve made it all the way to the end of Heroku’s import Postgres guide.

I install the awscli package with pip which enabled me to presign my s3 bucket (which succeeded).

I am right at the final step of importing my backup to Heroku Postgres. I am so close!

My traceback at this point indicates that Heroku is expecting an HTTP 200 (request has succeeded) but instead it receives an HTTP 400 (can’t process) ‘due to the source URL being inaccessible’. This points towards the restrictive permissions in place on my AWS S3 bucket.

You can find my traceback in full at the bottom issue.

With regards to my AWS S3 bucket, in the dashboard, the main Permissions switch relevant here is the “Block all public access” option. Whether this checkbox is enabled or disabled (I carefully tried both), I encountered the same HTTP 200/400 in my traceback. This is where I believe the issue is.

I’m not sure what else to try. I’m also a little concerned that with the vast number of variables available for Amazon’s S3 service, I don’t know how I might share or export my configuration nicely for you people to take a closer look. What other information could I provide to better help you people help me?

Here is the restore command I am using:

$ heroku pg:backups:restore 'https://postgres-restore-tarot-juicer.s3.amazonaws.com/2021June25_8801def6-27e0-4b88-875b-842be5704f0b\?X-Amz-Algorithm\=AWS4-HMAC-SHA256\&X-Amz-Credential\=AKIAY6KWYZACZM3OX2O6%2F20210625%2FOhio%2Fs3%2Faws4_request\&X-Amz-Date\=20210625T111617Z\&X-Amz-Expires\=3600\&X-Amz-SignedHeaders\=host\&X-Amz-Signature\=d56d7156537e03b7714c76e51f23eac9b08753a31b963818708d86cc77787f31' HEROKU_POSTGRESQL_SILVER --remote heroku --app tarot-prod --confirm tarot-prod

 ›   Warning: heroku update available from 7.50.0 to 7.54.1.
Starting restore of https://postgres-restore-tarot-juicer.s3.amazonaws.com/2021June25_8801def6-27e0-4b88-875b-842be5704f0b\?X-Amz-Algorithm\=AWS4-HMAC-SHA256\&X-Amz-Credential\=AKIAY6KWYZACZM3OX2O6%2F20210625%2FOhio%2Fs3%2Faws4_request\&X-Amz-Date\=20210625T111617Z\&X-Amz-Expires\=3600\&X-Amz-SignedHeaders\=host\&X-Amz-Signature\=d56d7156537e03b7714c76e51f23eac9b08753a31b963818708d86cc77787f31 to postgresql-lorem-1... done

Use Ctrl-C at any time to stop monitoring progress; the backup will continue restoring.
Use heroku pg:backups to check progress.
Stop a running restore with heroku pg:backups:cancel.

Restoring... !
 ▸    An error occurred and the backup did not finish.
 ▸    
 ▸    waiting for restore to complete
 ▸    pg_restore finished with errors
 ▸    waiting for download to complete
 ▸    download finished with errors
 ▸    please check the source URL and ensure it is publicly accessible
 ▸    
 ▸    Run heroku pg:backups:info r039 for more details.

Right at the end there, it recommends to use this info command:

$ heroku pg:backups:info r038
 ›   Warning: heroku update available from 7.50.0 to 7.54.1.
 ›   Error: Multiple apps in git remotes
 ›     Usage: --remote staging
 ›        or: --app tarot-testing
 ›     Your local git repository has more than 1 app referenced in git remotes.
 ›     Because of this, we can't determine which app you want to run this command against.
 ›     Specify the app you want with --app or --remote.
 ›     Heroku remotes in repo:
 ›     tarot-prod (heroku)
 ›   tarot-testing (staging)
 ›
 ›     https://devcenter.heroku.com/articles/multiple-environments

[alienware]

One reason may be that while using the awscli tool, in incorrect region is configured in your config / command. In this case, it should be us-east-2.

[enoren5]

In my postgres-restore-tarot-juicer S3 bucket, @UmarGit added some JSON to the “Bucket Policy” under the bucket’s Permissions tab. Here is the JSON:

{
    "Version": "2012-10-17",
    "Id": "Policy1625513624874",
    "Statement": [
        {
            "Sid": "Stmt1625513623122",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::postgres-restore-tarot-juicer/*"
        }
    ]
}

I presign the aws URL like so:

$ aws s3 presign s3://postgres-restore-tarot-juicer/2021June25_8801def6-27e0-4b88-875b-842be5704f0b

https://postgres-restore-tarot-juicer.s3.amazonaws.com/2021June25_8801def6-27e0-4b88-875b-842be5704f0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY6KWYZACZM3OX2O6%2F20210707%2FOhio%2Fs3%2Faws4_request&X-Amz-Date=20210707T000659Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e722bdbe239d26a66f9bd51817ded67824bc56bbd051129ec09489128db9a0b1

I then invoke heroku’s restore command (using the signed URL generated above) :

$  heroku pg:backups:restore 'https://postgres-restore-tarot-juicer.s3.amazonaws.com/2021June25_8801def6-27e0-4b88-875b-842be5704f0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY6KWYZACZM3OX2O6%2F20210707%2FOhio%2Fs3%2Faws4_request&X-Amz-Date=20210707T000659Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e722bdbe239d26a66f9bd51817ded67824bc56bbd051129ec09489128db9a0b1' HEROKU_POSTGRESQL_PUCE_URL --remote heroku --app tarot-prod --confirm tarot-prod
 ›   Warning: heroku update available from 7.50.0 to 7.54.1.
Starting restore of https://postgres-restore-tarot-juicer.s3.amazonaws.com/2021June25_8801def6-27e0-4b88-875b-842be5704f0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY6KWYZACZM3OX2O6%2F20210707%2FOhio%2Fs3%2Faws4_request&X-Amz-Date=20210707T000659Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e722bdbe239d26a66f9bd51817ded67824bc56bbd051129ec09489128db9a0b1 to postgresql-animate-93816... done

Use Ctrl-C at any time to stop monitoring progress; the backup will continue restoring.
Use heroku pg:backups to check progress.
Stop a running restore with heroku pg:backups:cancel.

Restoring... !
 ▸    An error occurred and the backup did not finish.
 ▸    
 ▸    waiting for restore to complete
 ▸    pg_restore finished with errors
 ▸    waiting for download to complete
 ▸    download finished with errors
 ▸    please check the source URL and ensure it is publicly accessible
 ▸    
 ▸    Run heroku pg:backups:info r040 for more details.

So it failed. The tail of that traceback suggests more information is available by using the prescribed command. Here it is:

$ heroku pg:backups:info r040
 ›   Warning: heroku update available from 7.50.0 to 7.54.1.
 ›   Error: Multiple apps in git remotes
 ›     Usage: --remote staging
 ›        or: --app tarot-testing
 ›     Your local git repository has more than 1 app referenced in git remotes.
 ›     Because of this, we can't determine which app you want to run this command against.
 ›     Specify the app you want with --app or --remote.
 ›     Heroku remotes in repo:
 ›     tarot-prod (heroku)
 ›   tarot-testing (staging)
 ›
 ›     https://devcenter.heroku.com/articles/multiple-environments

That error is pointing to my (potential mis-) use of --remote or --app switches, which you can see above in my command. What is the issue with my remote/app parameters?

[UmarGit]

@enoren5 brother checking.

[UmarGit]

@enoren5 Brother

Now I had read their documentation about signing a bucket uri, Basically you are putting the object url of that file, and we need s3 URI for our purpose, Now your command becomes:

aws s3 presign s3://postgres-restore-tarot-juicer/2021June25_8801def6-27e0-4b88-875b-842be5704f0b

# After executing the above command you will get a signed url ( <SIGNED URL> ) now then you can put that in Heroku command

heroku pg:backups:restore '<SIGNED URL>' HEROKU_POSTGRESQL_PUCE_URL --app tarot-prod

# They just mentioned the app name only in command, first run with it then if error appears try with remote name like `tarot_prod` not `heroku`

Note for '<SIGNED URL>' If you’re using a Unix-like operating system be sure to use single quotes around the temporary S3 URL, because it might contain ampersands and other characters that will confuse your shell. If you’re running Windows, you must use double-quotes.

[alienware]

The error while using heroku pg:backups:info r040 command may go away if you try heroku pg:backups:info r040 --app tarot-prod.

I believe this error is not related to the root cause of restore failure, but is there because the info command does not know which postgres instance to run the command against. Hopefully will give you some details after running it successfully.

Regarding the presigned URL, do verify once after generating the URL, that you can visit the URL from your browser and access the content without any 4xx error.

[enoren5]

@enoren5 Brother

Now I had read their documentation about signing a bucket uri, Basically you are putting the object url of that file, and we need s3 URI for our purpose, Now your command becomes:

aws s3 presign s3://postgres-restore-tarot-juicer/2021June25_8801def6-27e0-4b88-875b-842be5704f0b

# After executing the above command you will get a signed url ( <SIGNED URL> ) now then you can put that in Heroku command

@UmarGit: I used tried this command exactly as I wrote above. I presigned an S3 URl. To quote myself above and to reiterate, here is the output of that command:

$ aws s3 presign s3://postgres-restore-tarot-juicer/2021June25_8801def6-27e0-4b88-875b-842be5704f0b

https://postgres-restore-tarot-juicer.s3.amazonaws.com/2021June25_8801def6-27e0-4b88-875b-842be5704f0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY6KWYZACZM3OX2O6%2F20210707%2FOhio%2Fs3%2Faws4_request&X-Amz-Date=20210707T000659Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e722bdbe239d26a66f9bd51817ded67824bc56bbd051129ec09489128db9a0b1

Next you suggested another command:

heroku pg:backups:restore '<SIGNED URL>' HEROKU_POSTGRESQL_PUCE_URL --app tarot-prod

# They just mentioned the app name only in command, first run with it then if error appears try with remote name like `tarot_prod` not `heroku`

I already tried this (as I documented in my comment from yesterday). To quote myself again:

$  heroku pg:backups:restore 'https://postgres-restore-tarot-juicer.s3.amazonaws.com/2021June25_8801def6-27e0-4b88-875b-842be5704f0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY6KWYZACZM3OX2O6%2F20210707%2FOhio%2Fs3%2Faws4_request&X-Amz-Date=20210707T000659Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e722bdbe239d26a66f9bd51817ded67824bc56bbd051129ec09489128db9a0b1' HEROKU_POSTGRESQL_PUCE_URL --remote heroku --app tarot-prod --confirm tarot-prod

Take note of the switches at the end. You may need to scroll to the right. To quote myself again, here is the output of this command:

 ›   Warning: heroku update available from 7.50.0 to 7.54.1.
Starting restore of https://postgres-restore-tarot-juicer.s3.amazonaws.com/2021June25_8801def6-27e0-4b88-875b-842be5704f0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY6KWYZACZM3OX2O6%2F20210707%2FOhio%2Fs3%2Faws4_request&X-Amz-Date=20210707T000659Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e722bdbe239d26a66f9bd51817ded67824bc56bbd051129ec09489128db9a0b1 to postgresql-animate-93816... done

Use Ctrl-C at any time to stop monitoring progress; the backup will continue restoring.
Use heroku pg:backups to check progress.
Stop a running restore with heroku pg:backups:cancel.

Restoring... !
 ▸    An error occurred and the backup did not finish.
 ▸    
 ▸    waiting for restore to complete
 ▸    pg_restore finished with errors
 ▸    waiting for download to complete
 ▸    download finished with errors
 ▸    please check the source URL and ensure it is publicly accessible
 ▸    
 ▸    Run heroku pg:backups:info r040 for more details.

However I have some new progress. Here is the output from @alienware's recommended command:

$ heroku pg:backups:info r040 --app tarot-prod 
 ›   Warning: heroku update available from 7.50.0 to 7.54.1.
=== Backup r040
Database:         BACKUP
Started at:       2021-07-07 00:10:17 +0000
Finished at:      2021-07-07 00:10:17 +0000
Status:           Failed
Type:             Manual
Backup Size:      0.00B (0% compression)

=== Backup Logs
2021-07-07 00:10:17 +0000 2021/07/07 00:10:17 aborting: could not write to output stream: Expected HTTP Status 200, received: "400 Bad Request"
2021-07-07 00:10:17 +0000 pg_restore: error: could not read from input file: end of file
2021-07-07 00:10:17 +0000 waiting for restore to complete
2021-07-07 00:10:17 +0000 pg_restore finished with errors
2021-07-07 00:10:17 +0000 waiting for download to complete
2021-07-07 00:10:17 +0000 download finished with errors
2021-07-07 00:10:17 +0000 please check the source URL and ensure it is publicly accessible

Based on this output, it looks like there is still a permissions issue.

[enoren5]

Regarding the presigned URL, do verify once after generating the URL, that you can visit the URL from your browser and access the content without any 4xx error.

When I navigate to the presigned https:// web address (my S3 bucket), here is what it says:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Request has expired</Message>
<X-Amz-Expires>3600</X-Amz-Expires>
<Expires>2021-07-07T01:06:59Z</Expires>
<ServerTime>2021-07-07T10:53:35Z</ServerTime>
<RequestId>3WD5533RANDGPJK8</RequestId>
<HostId>AD2cM2WTE171ZEQdPr7ELlZkeesO/XfSaT5pz6iGIFjRkvX++31cRjyl6wWL/skukRuXY3gvotU=</HostId>
</Error>

[alienware]

Regarding the presigned URL, do verify once after generating the URL, that you can visit the URL from your browser and access the content without any 4xx error.

When I navigate to the presigned https:// web address (my S3 bucket), here is what it says:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Request has expired</Message>
<X-Amz-Expires>3600</X-Amz-Expires>
<Expires>2021-07-07T01:06:59Z</Expires>
<ServerTime>2021-07-07T10:53:35Z</ServerTime>
<RequestId>3WD5533RANDGPJK8</RequestId>
<HostId>AD2cM2WTE171ZEQdPr7ELlZkeesO/XfSaT5pz6iGIFjRkvX++31cRjyl6wWL/skukRuXY3gvotU=</HostId>
</Error>

The link expires after 3600s or 60m, Request has expired messages suggests that the link was generated at least an hour ago and so is returning AccessDenied error. Please generate a fresh presigned URL and try within an hour to access the link and it should return you the content without 4xx error.

[enoren5]

Thank you, @alienware!

I presign’ed a fresh URI. It still won’t backup. However based on your previous advice, I tried opening the URI in my web browser which is turning up a new XML error message. Here it is in full:

<Error>
<Code>AuthorizationQueryParametersError</Code>
<Message>Error parsing the X-Amz-Credential parameter; the region 'Ohio' is wrong; expecting 'us-east-2'</Message>
<Region>us-east-2</Region>
<RequestId>HE7VKJF3RZWX33WN</RequestId>
<HostId>unDhT5Y1hQTIxAdm3JhavOVJfx/5DDNTkEN/W/KSon/5WC53HkIdM1A1TutFKnfGnW5O9X51BFE=</HostId>
</Error>

So the problem now is pointing to the region / location, as @alienware already noted a few days previous.

I looked into this and on Google I encountered the AWS CLI User Guide for command line options. I figure I need to change the aws region setting. As outlined in that guide, the two switches which I tried were: aws --endpoint-url us-east-2 as well as aws --region us-east-2. That didn’t work. I tried presign’ing the s3 bucket again with my full command and appending --region us-east-2 both to the end and beginning like so:

$ aws s3 presign s3://postgres-restore-tarot-juicer/2021June25_8801def6-27e0-4b88-875b-842be5704f0b --region us-east-2

https://postgres-restore-tarot-juicer.s3.amazonaws.com/2021June25_8801def6-27e0-4b88-875b-842be5704f0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY6KWYZACZM3OX2O6%2F20210707%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20210707T123301Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=2d0f83293c6311704dbe8daaa6dff6d05083aec0edfc3957935172fcb4b0b0b7

$ aws s3 presign --region us-east-2 s3://postgres-restore-tarot-juicer/2021June25_8801def6-27e0-4b88-875b-842be5704f0b

https://postgres-restore-tarot-juicer.s3.amazonaws.com/2021June25_8801def6-27e0-4b88-875b-842be5704f0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY6KWYZACZM3OX2O6%2F20210707%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20210707T123410Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=adda7fad1ab8d3a0281b75ebf3d7d3d3d0061f10af4a05e806d44f82ce34509a

$ aws s3 --region us-east-2 presign s3://postgres-restore-tarot-juicer/2021June25_8801def6-27e0-4b88-875b-842be5704f0b

https://postgres-restore-tarot-juicer.s3.amazonaws.com/2021June25_8801def6-27e0-4b88-875b-842be5704f0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY6KWYZACZM3OX2O6%2F20210707%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20210707T123815Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=893b734c8e96eb32f8b4424a45235a59f33f6446650d6fcde5970f5934890d9b

When I go to any 3 of those links, I am getting a new XML error:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>InvalidAccessKeyId</Code>
<Message>The AWS Access Key Id you provided does not exist in our records.</Message>
<AWSAccessKeyId>AKIAY6KWYZACZM3OX2O6</AWSAccessKeyId>
<RequestId>2PCRJAQNQCPHMMBB</RequestId>
<HostId>0UjpYKrAMMf+AEzuhqcHGJ6Lma/9PBsNXy6qN911AO4vL7enfdGtrhqTV7bu6GAZCmvxRKortvY=</HostId>
</Error>

I'm stabbing in the dark here now. Any ideas for what I could try next?

[alienware]

That's good news, all progress comes with new problems and learning. 😄

This seems like a AWS account secrets configuration issue in your machine/terminal. You should make sure that your AWS_ACCESS_KEY_ID value in ~/.aws/credentials or ~/.aws/config file should be exactly same as the one found in IAM users section in AWS console. It seems that either an incorrect value (in AKIAY6KWYZACZM3OX2O6 O maybe 0) is being used or that particular IAM user has been removed.

You are not facing incorrect credentials issue while generating presigned URL as you are generating such a link locally, to be used at a later time, and the access validation is done when you access the link and hit S3 service. The most likely resolution, according to me, may require creating a new IAM programmatic user and re-configure awscli using aws configure.

Best wishes! 👍

[enoren5]

You were right, @alienware, the issue was with my aws configuration. There were two AWS_ACCESS_KEY_ID's in my AWS console. I just made the right one active. For good measure, I exported these variables in my shell like so:

export AWS_ACCESS_KEY_ID=<my-active-aws-access-key-id>
export AWS_SECRET_ACCESS_KEY=<my-aws-secret-access-key>
export AWS_DEFAULT_REGION=us-east-2

Eureka! That worked! I successfully uploaded and restored my Postgres binary on Heroku.

It's also worth pointing out that to locate the unique AWS configuration variables that I needed to export in my shell in my AWS Console I leveraged the answers to this SO question.

Thanks alienware for your guidance and for your guidance as well, @UmarGit!

[alienware]

Happy to be of some help @enoren5.

I got to know of your repository and requirements through the bounty project that you had posted on Upwork. If your offer is still open, I would love to take a stab at the whole $85 bounty by helping to resolve the rest of the issues after getting familiar with your work.

[enoren5]

I thank you for your support so far @alienware but I have already hired. In my job description I did clearly state this (verbatim):

***PLEASE NOTE: Do not complete this requirements until after I hire you. If you go ahead and post PR’s on my public repo when I haven’t hired you yet, then you aren’t going to get paid for your work. Please only begin work after I hire you.

Most Upwork freelance job postings for web development created by other contractors don't usually include links to GitHub repos. You saw my repo and began work before you and I agreed to work together. So your comments are 'technically' volunteer work. I'm not trying to be mean or an asshole, but I have already funded my Upwork contract with a freelancer who is currently working on my other requirements. I can't change that now. I'm not going to pay two people $85 to complete the same requirements. It's way too late.

I apologize. Next time I make a job posting, I will try to make it even more clear that GitHub Issue comments and PR's will not be compensated until we agree to partner together. Or perhaps to avoid this situation, I should just not post a link to my GitHub repo in the job description at all. =/

[alienware]

Thank you @enoren5 for detailing the situation to me and please, there is no need for you to worry or apologize. I was aware of your note regarding when to begin work; I felt the requirements were much easier to approach due to you posting your repo and I would say that it is a much welcome approach to portray requirements.

I absolutely understand if you have already concluded your freelancer search. There is no expectation of any payment from my side; I only wanted to apply for the job in case the offer was still open. No worries, I'll apply the next time. 😀