ablog

不器用で落着きのない技術者のメモ

AWS CLI で Aurora のスナップショットを共有する

AWS CLI で Aurora PostgreSQL互換 のスナップショットを共有してみたメモ。

Aurora のスナップショットを共有する

共有元AWSアカウント
  • RDSのスナップショットを作成する
$ aws rds create-db-cluster-snapshot --db-cluster-snapshot-identifier aurora-postgres106-snapshot --db-cluster-identifier aurora-postgres106
  • スナップショットをAWSアカウントID「234567890123」に共有する
aws rds modify-db-cluster-snapshot-attribute --db-cluster-snapshot-identifier aurora-postgres106-snapshot --attribute-name restore --values-to-add 234567890123
共有先AWSアカウント
  • 共有されたスナップショットを確認する。
$ aws rds describe-db-cluster-snapshots --include-shared --snapshot-type shared
{
    "DBClusterSnapshots": [
        {
            "Engine": "aurora-postgresql",
            "SnapshotCreateTime": "2019-05-07T14:57:37.491Z",
            "VpcId": "vpc-...",
            "DBClusterIdentifier": "aurora-postgres106",
            "DBClusterSnapshotArn": "arn:aws:rds:ap-northeast-1:123456789012:cluster-snapshot:aurora-postgres106-snapshot",
            "MasterUsername": "...",
            "LicenseModel": "postgresql-license",
            "Status": "available",
            "PercentProgress": 100,
            "DBClusterSnapshotIdentifier": "arn:aws:rds:ap-northeast-1:123456789012:cluster-snapshot:aurora-postgres106-snapshot",
            "KmsKeyId": "arn:aws:kms:ap-northeast-1:123456789012:key...",
            "ClusterCreateTime": "2019-02-19T01:15:26.881Z",
            "StorageEncrypted": true,
            "AllocatedStorage": 0,
            "EngineVersion": "10.6",
            "SnapshotType": "shared",
            "AvailabilityZones": [
                "ap-northeast-1a",
                "ap-northeast-1c",
                "ap-northeast-1d"
            ],
            "IAMDatabaseAuthenticationEnabled": false,
            "Port": 0
        }
    ]
}

スナップショットの共有をやめる

共有元AWSアカウントID
  • スナップショットの共有をやめる。
$ aws rds modify-db-cluster-snapshot-attribute --db-cluster-snapshot-identifier aurora-postgres106-snapshot --attribute-name restore --values-to-remove 234567890123
共有先AWSアカウントID
  • スナップショットが共有されていないことを確認する。
$ aws rds describe-db-cluster-snapshots --include-shared --snapshot-type shared
{
    "DBClusterSnapshots": []
}

補足

  • スナップショット共有時の CloudTrail のイベント
{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "...:i-...",
        "arn": "arn:aws:sts::123456789012:assumed-role/EC2AdminRole/i-...",
        "accountId": "123456789012",
        "accessKeyId": "...",
        "sessionContext": {
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2019-05-07T21:22:30Z"
            },
            "sessionIssuer": {
                "type": "Role",
                "principalId": "...",
                "arn": "arn:aws:iam::123456789012:role/EC2AdminRole",
                "accountId": "123456789012",
                "userName": "EC2AdminRole"
            }
        }
    },
    "eventTime": "2019-05-07T22:08:10Z",
    "eventSource": "rds.amazonaws.com",
    "eventName": "ModifyDBClusterSnapshotAttribute",
    "awsRegion": "ap-northeast-1",
    "sourceIPAddress": "*.***.**.***",
    "userAgent": "aws-cli/1.16.86 Python/2.7.14 Linux/4.14.77-81.59.amzn2.x86_64 botocore/1.12.76",
    "requestParameters": {
        "valuesToAdd": [
            "234567890123"
        ],
        "attributeName": "restore",
        "dBClusterSnapshotIdentifier": "aurora-postgres106-snapshot"
    },
    "responseElements": {
        "dBClusterSnapshotAttributes": [
            {
                "attributeName": "restore",
                "attributeValues": [
                    "234567890123"
                ]
            }
        ],
        "dBClusterSnapshotIdentifier": "aurora-postgres106-snapshot"
    },
    "requestID": "fcf6a3e7-8d75-4d46-a078-0989020f0216",
    "eventID": "04bfed7d-24dd-4b48-9e35-2373a262cb73",
    "eventType": "AwsApiCall",
    "recipientAccountId": "123456789012"
}
  • スナップショット共有削除時のイベント
{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "...:i-...",
        "arn": "arn:aws:sts::123456789012:assumed-role/EC2AdminRole/i-...",
        "accountId": "123456789012",
        "accessKeyId": "...",
        "sessionContext": {
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2019-05-07T21:22:30Z"
            },
            "sessionIssuer": {
                "type": "Role",
                "principalId": "...",
                "arn": "arn:aws:iam::123456789012:role/EC2AdminRole",
                "accountId": "123456789012",
                "userName": "EC2AdminRole"
            }
        }
    },
    "eventTime": "2019-05-07T22:10:05Z",
    "eventSource": "rds.amazonaws.com",
    "eventName": "ModifyDBClusterSnapshotAttribute",
    "awsRegion": "ap-northeast-1",
    "sourceIPAddress": "*.***.**.***",
    "userAgent": "aws-cli/1.16.86 Python/2.7.14 Linux/4.14.77-81.59.amzn2.x86_64 botocore/1.12.76",
    "requestParameters": {
        "valuesToRemove": [
            "234567890123"
        ],
        "attributeName": "restore",
        "dBClusterSnapshotIdentifier": "aurora-postgres106-snapshot"
    },
    "responseElements": {
        "dBClusterSnapshotAttributes": [
            {
                "attributeName": "restore",
                "attributeValues": []
            }
        ],
        "dBClusterSnapshotIdentifier": "aurora-postgres106-snapshot"
    },
    "requestID": "acbd52b9-bf14-42cd-9e82-64c03c079ea8",
    "eventID": "df54195f-c799-40ef-ac7c-32b1aafe2ef7",
    "eventType": "AwsApiCall",
    "recipientAccountId": "123456789012"
}