How do I troubleshoot the “You are not authorized to perform this operation" error when I try to restore my Amazon EC2 instance?

2 minute read
0

I'm using AWS Backup to restore an Amazon Elastic Compute Cloud (Amazon EC2) instance from a recovery point in AWS Backup. However, I get an encoded error message that says "You are not authorized to perform this operation. Please consult the permissions associated with your AWS Backup role(s), and refer to the AWS Backup documentation for more details."

Resolution

This error typically occurs under the following conditions:

  • The original Amazon EC2 instance has an instance profile attached to it.
  • You use the Default role setting for Restore role to try to restore the instance on the AWS Backup console.
  • You use the Restore with Original IAM role setting for Instance IAM role to try to restore the instance on the AWS Backup console.

To resolve this issue, use either of the following options based on your use case.

Use the "Proceed with no IAM role" option

When you run the restore job for the instance in the AWS Backup console, choose Proceed with no IAM role for Instance IAM role. With this option, you can restore the instance, and the restored instance doesn't have an instance profile attached to it. Later, you can attach the instance profile to the restored instance.

Use the "Restore with Original IAM role" option

To restore your new instance with the original IAM role, you must update your Instance IAM role setting to Restore with Original IAM role. When you choose this option, you must attach an additional policy on your restore role. Your restore role can be the default role AWSDefaultServiceRoleforBackup or any other customer managed role.

Note: If you don't know which role you used for the restore, then you must decode the authorization message. For instructions on how to decode the message, see How do I decode an encoded authorization error message for AWS Backup?

Open the IAM console, and attach the following policy on your restore role:

Note: Replace 111122223333 with your AWS account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::111122223333:role/*",
            "Effect": "Allow"
        }
    ]
}

After you update the IAM role, run the restore job again.

Related information

Access control

Restoring an Amazon EC2 instance

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago