Skip to main content
DR restore job fails for Encrypted volumes
Updated over 8 months ago

Problem description

Whenever DR restore triggers it will update the EBS Volumes on AWS console If EBS volumes have KMS encryption enabled, Druva IAM role is unable to access the EBS volumes due to the KMS encryption

Cause

Whenever DR restore triggers, DR restores fails while updating the EBS Volumes on AWS console, If EBS volumes have KMS encryption enabled, Druva IAM role is unable to access the EBS volumes due to the KMS encryption.

Traceback

[2021-04-30 13:01:54,992] [ERROR] EC2Client : Failed to create EBS volume for vol-type=gp2, size=50, avail_zone=us-west-2b, tag_spec=[{'ResourceType': 'volume', 'Tags': [{'Value': u'Phoenix_3479_880650429586_1098_us-west-2_871467_6000C297-9575-ed6f-82fe-9c4e92194af0_706', 'Key': 'Name'}]}]: error = Waiter VolumeAvailable failed: The volume 'vol-004751b5136334cb1' does not exist.

[2021-04-30 13:01:54,992] [ERROR] Error <class 'botocore.exceptions.WaiterError'>:Waiter VolumeAvailable failed: The volume 'vol-004751b5136334cb1' does not exist.. Traceback -Traceback (most recent call last):

File "roboClientLib/boto3/ec2client.py", line 104, in create_ebs_volume

File "botocore/waiter.py", line 53, in wait

File "botocore/waiter.py", line 313, in wait

WaiterError: Waiter VolumeAvailable failed: The volume 'vol-004751b5136334cb1' does not exist.

Resolution

  1. Login to customer AWS console and navigate to IAM services.

  1. Click on Roles.

  1. Now search for DruvaIAMRolePL

  1. Click on DruvaIAMRolePL and then open the policy.

  1. Click on Edit Policy.

  1. Then go to the Visual editor and click Additional Permissions..

  1. Choose a Service as a KMS.

  1. Select Action by selecting below KMS Actions

  1. Then select all the resources if you want this to apply on all the regions.

If you want to specify any region we can go to alias and select Add ARN

Once we click on ADD ARN, We will have a popup to fill in the details about the region and alias and save the changes.

Finally, we can see KMS in the above section and click on preview policy

We can also perform the above steps by editing the JSON file with the below script.

{

"Action": [

"kms:DescribeKey",

"kms:GenerateDataKey*",

"kms:Encrypt",

"kms:ReEncrypt*",

"kms:Decrypt",

"kms:ListGrants",

"kms:CreateGrant",

"kms:RevokeGrant"

],

"Resource": [

"arn:aws:kms:us-west-2:80629586:key/*"

],

"Effect": "Allow"

},

Note:: From the above example script

Us-west-2:: Location of encrypted volumes.

80629586:: AWS account number

Did this answer your question?