07 November,2022 by Rambler
This is a step by step guide on how to use AWS CLI and restore an RDS instance backed up with the AWS Backup Service . The guide will take you through the IAM role set up , retrieve the recovery point & metadata , create restore , check Restore has completed , clean up IAM role
You will need :
1) AWS CLI ( AWS Command Line interface)
2) jq - (JSON command line processor)
I've broken down the guide to step-by-step. One way to streamline the process is to place some of the outputs into variables
--Place the following into a json file - allow_backup_assume_role.json
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "backup.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
--Place the following into a .json file - allow_passrole_inline_policy.json
{ "Version": "2012-10-17", "Statement": [ { "Action": "iam:PassRole", "Resource": "*", "Effect": "Allow" } ] }
--Create an IAM role to manage passthrough
aws iam create-role --role-name dba_backup_iam_role --assume-role-policy-document file://allow_backup_assume_role.json
aws iam put-role-policy --role-name dba_backup_iam_role --policy-name dba_backup_passrole_policy --policy-document file://allow_passrole_inline_policy.json
aws iam attach-role-policy --role-name dba_backup_iam_role --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
aws iam attach-role-policy --role-name dba_backup_iam_role --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
-Create the IAM Role ARN .concatenate the account id and the IAM role to create a string such as the below . You'll need this for the Restore Job
aws sts get-caller-identity | jq -r --arg prefix "arn:aws:iam::" --arg suffix ":role/dba_backup_iam_role" ". = $prefix + .Account + $suffix"
example output:arn:aws:iam::898778990:role/dba_backup_iam_role
--Get the RDS Resource ARN . You'll need this value to list the completed backup jobs
aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier=='MyRDSInstance'].DBInstanceArn"
--example: output "arn:aws:rds:us-west-1:8798456934:db:myrdsinstance"
--Get the Recovery Point ARN.Pick a recovery Point , make a note of the Recovery Point ARN
aws backup list-backup-jobs --by-state COMPLETED --query "BackupJobs[?ResourceArn == '<replace_with_RDS_Resource_ARN>'].[ResourceType,CompletionDate,RecoveryPointArn]"
--Create a restore point metadata file used with the restore. Place the output into a file - e.g restore_metadata.json
-review the restoremetadat and adjust according to your environment . these are some common line items to review
a) DBInstanceIdentifier - pick a name for the new target RDS Instance
b) AvailabilityZone - Requesting a specific availability zone is not valid for Multi-AZ instances. Delete the line item if MultiAZ
c)Port - Create a valied Port
aws backup get-recovery-point-restore-metadata --backup-vault-name Default --recovery-point-arn <replace_with_Recovery_Point_ARN> --query "RestoreMetadata"
--Start restore-restore-job
aws backup start-restore-job --recovery-point-arn <replace_with_Recovery_Point_ARN> --metadata file://restore_metadata.json --resource-type RDS --iam-role-arn <replace_with_iam_role_arn>
--Check the Status of the Restore Job
aws backup list-restore-jobs --query "RestoreJobs[?RestoreJobId=='<replace_with_restorejobid>']
--Check the new RDS resource exists
-list all AWS RDS instances & status
aws rds describe-db-instances --query "DBInstances[].[DBInstanceIdentifier,DBInstanceStatus] "
--Delete the IAM Role
-step 1 - detach the AWS policies and delete the inline policy from the IAM role
aws iam detach-role-policy --role-name dba_backup_iam_role --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
aws iam detach-role-policy --role-name dba_backup_role --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
aws iam delete-role-policy --role-name dba_backup_iam_role --policy-name dba_backup_passrole_inline_policy
-step 2 - delete the role
aws iam delete-role --role-name dba_backup_iam_role
Read More on AWS CLI commands
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |