boto3: list_recovery_points_by_resource doesn't work with RDS ARN

Hello,

I found a bug when I try to list recovery points of a RDS resource. API return : An error occurred (AccessDeniedException) when calling the ListRecoveryPointsByResource operation: Insufficient privileges to perform this action.

Tested on python 3.8 lambda with boto3 The simplified code :

import boto3

resourceArn = "arn:aws:rds:eu-west-1:11111111111:db:database-1"

client = boto3.client('backup')

response = client.list_recovery_points_by_resource(ResourceArn=resourceArn)

That’s work on EC2 ARN.

And I have tested with my AWS CLI “aws-cli/2.1.30 Python/3.8.8”, I think CLI use botocore instead of boto3 and the result is not the same but I got an other issue. I can list-recovery-points-by-resource of a RDS ARN but if I had --max-results parameter I got a 403 too.

An error occurred (AccessDeniedException) when calling the ListRecoveryPointsByResource operation: Insufficient privileges to perform this action.

My CLI profile have Administrator access…

Thanks, Ronan

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 19 (10 by maintainers)

Most upvoted comments

Hi, I resolve this issue by adding rds:describeDBClusterSnapshots on the lambda policy. Of course, this is not a solution. I hope this helps clarify the situation.

+4
damianarata on Apr 6, 2021

Hi @tcheksa62,

Glad you got it working! I did some additional testing (using the JavaScript SDK) with the MaxResults parameter and received the same AccessDeniedException when providing a value less than 20— This appears to be an issue with backup parameter validation.

The backup team is working to fix the occurrence of the AccessDeniedException and I just made them aware of the issue with the validation of the MaxResults parameter today— I’ll provide any updates I receive along the way!

+1
stobrien89 on Apr 9, 2021

Hi,

See my python workaround :

import boto3

def lambda_handler(event, context):
    resourceArn = "arn:aws:rds:eu-west-1:1111111111111:db:database-1"
    client = boto3.client('backup')
    response = client.list_recovery_points_by_resource(
        ResourceArn=resourceArn
    )
    result = response['RecoveryPoints']
    last = sorted(result, key = lambda k:k["CreationDate"], reverse=True )
    print(last[0])

Have good day

Tcheksa

+1
tcheksa62 on Apr 8, 2021

Hi @stobrien89,

Thanks for support ! I tried to add more permission to my lambda like @rodriguezarata purpose for me the correct right is rds:DescribeDBSnapshots for my test and that work. This resolve the initial issue but now like in CLI I can use MaxResults params. So we enter in “unsupported API” case. I will try to work with all the result in my lambda.

Thanks all for support !

Tcheksa

+1
tcheksa62 on Apr 8, 2021
Read more comments on GitHub
← boto3: KeyError: 'endpoint_resolver'
boto3: New region ap-east-1 causes issues with multiple services →