Overview
Recently I was working with Rubrik to perform some tests related to the backup and restore of AWS resources housed on an AWS Outpost. Everything was working great until we attempted to restore an RDS database onto the Outpost. The solution was pretty straightforward and easy but I had the benefit of working directly with a couple Rubrik engineers. Thus, I thought I’d share the solution should any of you in the larger community be interested.
When attempting the RDS restore to AWS Outpost an Access Denied error message was displayed, shown below, that stated we were not authorized to get the available instance types on Outposts.
In the Beginning…
When adding a cloud account to Rubrik, you will be prompted to deploy a CloudFormation to create an IAM role that will give Rubrik the permissions it needs to backup and restore the resources in that AWS account.
The issue as it relates to the restoration of RDS databases on AWS Outpost is that the rubrik-aws-rds-protection-policy deployed with the template, does not include the following Outposts permissions:
- outposts:GetOutpost
- outposts:GetOutpostInstanceTypes
- outposts:ListOutposts
- outposts:ListSites
To Resolve the Issue
As it stands today, you resolve the issue by editing the rubrik-aws-rds-protection-policy to add the (4) permissions listed above. You can do this by editing the Rubrik CrossAccountRole using the IAM dashboard or you can edit the CloudFormation template and update the stack.
Using the IAM Dashboard
- Open the IAM Service Dashboard for the AWS Outposts account
2. Under Access management, click Roles and then search for Rubrik and then click the rubrik-polaris-CrossAccountRole.
3. Expand the rubrik-aws-rds-protection-policy and click Edit policy
4. Click Add additional permissions and then add the required Outposts permissions as shown below.
Updating the CloudFormation Template
You can also update the policy with the required Outposts permissions by updating the CloudFormation template deployed by Rubrik when adding the AWS account.
- Open the CloudFormation service dashboard, select Stacks, then select the rubrik-polaris-xxxx template and click Update.
2. On the Update stack | Specify template page, select Edit template in designer and then click View in Designer. (Of course, if you’re familiar with templates and would prefer to use Atom, or NotePad ++, or Visual Studio Code you can use those means as well.)
3. When Designer opens, add the required Outposts permissions to the rubrik-polaris-xxxx section and continue with the update.
4. It is not necessary to edit the stack details or options so you can click Next until you get to the Review page. On the Review page, you should see a summarization of the changes which will be made and be prompted to acknowledge that CloudFormation might create IAM resources. Click Update stack.
5. When the stack is successfully updated, verify that the rubrik-aws-rds-protection-policy has been modified with the required settings.
6. Finally, retry you Rubrik to AWS Outpost RDS restore once again. If all goes well, the restore will now succeed!