What S3 permissions are needed for BACKUP?


#1

I am trying to execute

BACKUP DATABASE memsql TO S3 "mys3bucket/memsql/2019040320/" CONFIG '{"region":"us-
east-1"}' CREDENTIALS '{"role_arn":"arn:aws:iam:::role/memsql-backup"}'

and receiving:

ERROR 2298 (HY000) at line 1: Failed validation for s3: AccessDenied: Access denied
       status code: 403, request id:

The AWS IAM role memsql-backup has the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::mys3bucket/*"
        }
    ]
}

What other permissions are needed in order to BACKUP to S3?


#2

Hello!

Try adding “s3:GetObject”, and if it is still giving you issues, feel free to report back!


#3

Hi @nhoran, unfortunately I still receive

ERROR 2298 (HY000) at line 1: Failed validation for s3: AccessDenied: Access denie

Current permissions policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::mys3bucket/*"
        }
    ]
}

Also, do you advise in addition to the databases that I create also backing up the memsql and cluster databases? They both appear to be empty though.


#4

You should only be backing up your own databases, the memsql and cluster databases are internal to the cluster and store metadata.

Could you look inside your leaf’s memsqlbin/tracelogs/memsql.log and look for an ERROR line associated with these backups. It should have the full error string, as the mysql connector can truncate long errors.

Also, add back the s3:ListBucket permission. That is used during backup validation.