Error creating Backup Vault

[GuilhermeRizzottoLis]

Hey man, im trying to use your repo, but im always getting an error to create a backup vault, error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e, do you know why. I only changed the main.tf file from the simple_plan_using_list example with my data. Do you know is that happening?

Thanks.

[lgallard]

Hi @GuilhermeRizzottoLis, the module uses the service role as defined here https://github.com/lgallard/terraform-aws-backup/blob/master/iam.tf#L12 and add a policies in the iam.tf, in particular here https://github.com/lgallard/terraform-aws-backup/blob/master/iam.tf#L24.

With those roles/policies should be enough to create the a new vault. I checked the simple_plan_using_list example last week and it created the vault named "vault-1" as in the example.

Did you check if the service role were created?

[GuilhermeRizzottoLis]

Yeah, it was created, maybe its some configuration in AWS, but i have Full Access permition.

[lgallard]

@GuilhermeRizzottoLis did you check this issue reported here ?

It seems a async problem (maybe due to networking issues or token expiration) as expressed in this comment

[brightshine1111]

I just started encountering this same exact issue. I'm able to create vaults via the aws console and aws cli directly no problem, but when I attempt to do so using the same exact IAM role via Terraform, I get this cryptic 403 error. Looking through Terrform's debug log reveals nothing useful.

Terraform v0.14.9, AWS provider v3.35.0

[lgallard]

@faucherb94 can you share your Terraform definition?

[jralonso]

I am suffering the same issue. Terraform v0.14.10, AWS provider 3.36.0.
This is what the plan outputs:

# aws_backup_vault.ps-backup-vault will be created
+ resource "aws_backup_vault" "ps-backup-vault" {
    + arn             = (known after apply)
    + id              = (known after apply)
    + kms_key_arn     = (known after apply)
    + name            = "prod-backup-vault"
    + recovery_points = (known after apply)
 }

[lgallard]

@jralonso i just applied the complete example in my account using Terraform v0.14.10, AWS provider 3.36.0.

Are you using the complete example or any other example?

Did you check you have enough permission privileges to create AWS Backup resources (vaults, plans, rules, etc) ?

[lgallard]

@jralonso I checked the simple_plan example with the latest version of the module (0.11.2) and it's working with Terraform v0.14.10, AWS provider 3.36.0 as well.

[thiagolsfortunato]

I have the same error when run with my Pipeline User. This User has backup:* permission attached to your policy.

When I perform terraform apply returns AccessDeniedException: status code: 403

I have Full Administrator Access and can create AWS Backup Vault with my credentials. Which permissions my pipeline user needs?

[lgallard]

@thiagolsfortunato the module creates a service role, meaning your pipeline must be able to create roles in IAM.

[carflo]

For anyone else who stumbles upon this issue, make sure you are adding the required IAM permissions mentioned in the CreateBackupVault row to the role creating the Vault. I was misssing the required kms and backup-storage permissions and got the same 403 error.

[lgallard]

@carflo maybe we can add those permissions in the IAM policy here https://github.com/lgallard/terraform-aws-backup/blob/master/iam.tf#L40

[carflo]

@lgallard The IAM permissions need to be added to the Role running the terraform. In @thiagolsfortunato's case, his "pipeline user" (i.e., not the IAM role used by AWS Backup that your module creates).

I think just adding this to the README (e.g., Troubleshooting: error creating Backup Vault () ...) would be helpful as the error message from AWS is not useful. This is mentioned in the AWS docs as a requirement so I'll leave that up to you. As a disclaimer, I'm not using this module but I stumbled upon this issue (google search) due to the same error from the aws_backup_vault resource 😄

[lgallard]

@carflo thanks for the clarification. Comment added in README!!