- Newest
- Most votes
- Most comments
I believe I may have inadvertently discovered the cause of the failures. When dumping details of the bucket and objects using the aws s3api
cli tool I noticed some objects with the DEEP_ARCHIVE
and GLACIER
storage classes. Doing a random spot check shows all of the items with those storage classes are in the failure messages. I've initiated a restore of all of the objects and will watch to see if the errors clear.
The first simple thing you could check would be if the S3 bucket is using SSE-KMS (instead of SSE-S3) for its default encryption. If so, check which KMS key is used and whether it's an AWS-managed or customer-managed key. If it's customer-managed, then you'll need to grant the IAM role AWS Backup is using the kms:Decrypt
and kms:GenerateDataKey
permissions to the KMS key in its key policy.
Thanks for the response. I think the troubleshooting guide mentioned encryption somewhere in the doc so I did check what keys were being used and it is using SSE-S3 so there should be no need for the additional attachments.
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
- Accepted Answer
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Alright, those are indeed offline storage classes requiring the separate restore step to access, so your conclusion is almost certainly precisely correct.
For completeness, when you restore objects from the offline storage classes, the original object will remain in the archive class, while the restore operation creates a copy of its contents in the Standard storage class. If you want to move the object back to an online storage class, you'll have to copy the temporary restored object into a new object that you'll retain in an online class. More details: https://docs.aws.amazon.com/AmazonS3/latest/userguide/restoring-objects.html
Thank you. I didn't realize that and after waiting the 48 hours for the deep archive restore was wondering why it was still the offline class. I'm now copying/replacing the offline objects with the online objects and putting them in the glacier_ir class. I'm pretty confident this will clear up the very last of the errors.
After modifying the storage class on all of the failed objects the errors have cleared.
Amazon, please include better error messaging. All of this could have been avoided with a simple "invalid storage class" error.