Introduction
This is a very quick blog post covering a tiny (but frustrating!) issue I recently encountered.
Related Links
The problem
I was using the CLI to copy a snapshot from one AWS Backup account to another, and ran into the expected permission issues on the first attempt.
However, this time AWS unhelpfully cached the response and would not let me retry my failed start-copy-job command.
So for example, this command would only ever be attempted once regardless if it passes or fails:
aws backup start-copy-job --recovery-point-arn 'XYZ' \
--source-backup-vault-name 'XYZ' \
--iam-role-arn 'XYZ'
In my case I recevied this error:
Failed to finalize copy operation due to missing permissions. Source recovery point might still be shared with the destination acccount.
I know my permissions need fixed, but it gives no clear way on how to retry the same copy job after I have fixed them.
The solution
I reached out to AWS and they helpfully pointed me to the --idempotency-token flag. Appending this parameter to your CLI call will work around their caching and let you retry your start-copy-job command:
aws backup start-copy-job --recovery-point-arn 'XYZ' \
--source-backup-vault-name 'XYZ' \
--iam-role-arn 'XYZ' \
--idempotency-token 'some-unique-string-per-attemp-123'
Just set it to any new unique string and it will let you re-attempt the same command.
That’s it! You can now have multiple attempts at fixing your broken permissions.