Skip to main content


 

 

How can we help you?

 

 
Druva Documentation

DR restore job fails for Encrypted volumes

Heads up!

We've transitioned to a new documentation portal to serve you better. Access the latest content by clicking here.

 

Problem description

Whenever DR restore triggers it will update the EBS Volumes on AWS console If EBS volumes have KMS encryption enabled, Druva IAM role is unable to access the EBS volumes due to the KMS encryption

Cause

Whenever DR restore triggers, DR restores fails while updating the EBS Volumes on AWS console,  If EBS volumes have KMS encryption enabled, Druva IAM role is unable to access the EBS volumes due to the KMS encryption.

Traceback

[2021-04-30 13:01:54,992] [ERROR] EC2Client : Failed to create EBS volume for vol-type=gp2, size=50, avail_zone=us-west-2b, tag_spec=[{'ResourceType': 'volume', 'Tags': [{'Value': u'Phoenix_3479_880650429586_1098_us-west-2_871467_6000C297-9575-ed6f-82fe-9c4e92194af0_706', 'Key': 'Name'}]}]: error = Waiter VolumeAvailable failed: The volume 'vol-004751b5136334cb1' does not exist.

[2021-04-30 13:01:54,992] [ERROR] Error <class 'botocore.exceptions.WaiterError'>:Waiter VolumeAvailable failed: The volume 'vol-004751b5136334cb1' does not exist.. Traceback -Traceback (most recent call last):

File "roboClientLib/boto3/ec2client.py", line 104, in create_ebs_volume

File "botocore/waiter.py", line 53, in wait

File "botocore/waiter.py", line 313, in wait

WaiterError: Waiter VolumeAvailable failed: The volume 'vol-004751b5136334cb1' does not exist.

Resolution

  1. Login to customer AWS console and navigate to IAM services.

  1. Click on Roles.

 

  1. Now search for DruvaIAMRolePL


 

  1. Click on DruvaIAMRolePL and then open the policy.

 

  1. Click on Edit Policy.

 

  1. Then go to the Visual editor and click Additional Permissions..





 

 

  1. Choose a Service as a KMS.

 

  1. Select Action by selecting below KMS Actions 

 

 

  1. Then select all the resources if you want this to apply on all the regions.


 

 

If you want to specify any region  we can go to alias and select  Add ARN 

 

 

Once we click on ADD ARN, We will have a popup to fill in the details about the region and alias and save the changes.

 

 

 

Finally, we can see KMS in the above section and click on preview policy




 


 

We can also perform the above steps by editing the JSON file with the below script.

 

 

{

            "Action": [

                "kms:DescribeKey",

                "kms:GenerateDataKey*",

                "kms:Encrypt",

                "kms:ReEncrypt*",

                "kms:Decrypt",

                "kms:ListGrants",

                "kms:CreateGrant",

                "kms:RevokeGrant"

         ],

            "Resource": [

                "arn:aws:kms:us-west-2:80629586:key/*"

         ],

            "Effect": "Allow"

     },

Note:: From the above example script 

Us-west-2:: Location of encrypted volumes.

80629586:: AWS account number