Export RDS snapshot to S3 with Lambda (Python)

Introduction

When referencing RDS data

-There is no date and time dump job etc. -No read replica ・ No questions asked and approval is required to log in to a commercial environment.

For some reason, it was sometimes difficult to look directly into the contents of RDS. At that time, it was said that it was possible to export the snapshot to S3 to Amazon RDS and refer to it with Athena, so I actually tried S3 export of the RDS snapshot using Lambda.

Overall picture

スクリーンショット.png

Export RDS snapshot to S3 with Lambda. Since the exported data is encrypted by KMS, it is necessary to prepare the KMS key as well.

Premise

-RDS and snapshots have been created. -The export destination S3 bucket has been created.

procedure

1. Create policies and roles to use when exporting RDS snapshots to S3

1-1. Policy creation

Create a policy to access S3 from the snapshot export task with the following json. (Resource your-s3-bucket specifies the S3 bucket to export to)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject*",
                "s3:GetObject*",
                "s3:DeleteObject*"
            ],
            "Resource": [
                "arn:aws:s3:::your-s3-bucket",
                "arn:aws:s3:::your-s3-bucket/*"
            ]
        }
    ]
}

1-2. Role creation

Create a role and attach the policy created above. From Edit Trust Relationship, edit the access control policy document as follows. (Service becomes export.rds.amazonaws.com)


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "export.rds.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

2. Creating a KMS key

Create a key in KMS to use to encrypt the export data.

  1. Select Customer managed key in KMS from the management console.
  2. Display the creation wizard with Create key.
  3. Step 1/5 Key type: Target
  4. Step 2/5 Alias: Enter the name of any key
  5. Step 3/5 Key Administrator: Select the key and the user who will be the administrator
  6. Step 4/5 Define key usage permissions: Not specified here
  7. Step 5/5 Complete

3. Create Lambda

3-1. Role, policy creation

Create a role for AWSLambdaBasicExecutionRole that can be created at the same time you create a Lambda function. Create the following policy required for snapshot export separately and attach it to the above role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "rds:StartExportTask"
            ],
            "Resource": "*"
        }
    ]
}

3-2. Lambda code creation

pyhton:lambda_handler.py


import json
import boto3
from datetime import datetime

SOURCE_ARN="YOUR_SOURCE_ARN"
S3_BUCKET_NAME="YOUR_S3_BUCKET_NAME"
IAM_ROLE_ARN="YOUR_IAM_ROLE_ARN"
KMS_KEY_ID="YOUR_KMS_KEY_ID"

client = boto3.client('rds')

def lambda_handler(event, context):
  
    export_task_identifier="mysnapshot" + datetime.now().strftime("%Y%m%d%H%M%S")
    
    response = client.start_export_task(
        ExportTaskIdentifier=export_task_identifier,
        SourceArn=SOURCE_ARN,
        S3BucketName=S3_BUCKET_NAME,
        IamRoleArn=IAM_ROLE_ARN,
        KmsKeyId=KMS_KEY_ID,
        )

-Set the following variables in the code according to your environment.

Variable name value
SOURCE_ARN ARN of the RDS snapshot to be exported
S3_BUCKET_NAME Output destination S3 bucket name
IAM_ROLE_ARN ARN of the role used when exporting S3 created in step 1
KMS_KEY_ID ARN of the created KMS key

-Since the following restrictions apply to ExportTaskIdentifier, the date and time are added this time.

Export identifier Enter a name to identify the export. This name must be unique across all snapshot exports that your AWS account owns in your current AWS Region.

4. Add Lambda role to key user of KMS key

Add the role used in Lambda in step 3 to the key user of the key created in step 2.

スクリーンショット.png

If you don't do this, you'll get the error An error occurred (KMSKeyNotAccessibleFault) when you run Lambda.

After this work, run Lambda to export the RDS snapshot to S3.

in conclusion

You can do the same with the management console if you just want to export the snapshot to S3, but I wanted to make the data source a system snapshot and update the data with the date and time, so I tried running it with Lambda.

It would be nice if RDS could be checked on the management console if it was a small reference like DynamoDB, but I felt that the method of referring to this snapshot is also a safe and easy method.

References

This article was written with reference to the following information.

-Export DB Snapshot Data to Amazon S3

Recommended Posts

Export RDS snapshot to S3 with Lambda (Python)
Connect to s3 with AWS Lambda Python
[Python] Regularly export from CloudWatch Logs to S3 with Lambda
How to access RDS from Lambda (python)
[Python] Convert CSV file uploaded to S3 to JSON file with AWS Lambda
Sample to send slack notification with python lambda
Upload files to Google Drive with Lambda (Python)
Upload what you got in request to S3 with AWS Lambda Python
I want to AWS Lambda with Python on Mac!
Connect to BigQuery with Python
[S3] CRUD with S3 using Python [Python]
Connect to Wikipedia with Python
Post to slack with Python 3
S3 operation with python boto3
Switch python to 2.7 with alternatives
Write to csv with Python
How to use Python lambda
[AWS] Try adding Python library to Layer with SAM + Lambda (Python)
Challenge problem 5 with Python: lambda ... I decided to copy without
[Introduction to Udemy Python 3 + Application] 58. Lambda
Python: How to use async with
[Python] Write to csv file with Python
Create folders from '01' to '12' with python
Nice to meet you with python
Try to operate Facebook with Python
Face detection with Lambda (Python) + Rekognition
Output to csv file with Python
[Lambda] [Python] Post to Twitter from Lambda!
Convert list to DataFrame with python
MP3 to WAV conversion with Python
To do tail recursion with Python2
How to get started with Python
Unable to install Python with pyenv
How to use FTP with Python
How to calculate date with python
Notify HipChat with AWS Lambda (Python)
Easily post to twitter with Python 3
I want to debug with Python
Use PostgreSQL with Lambda (Python + psycopg2)
Use boto3 to mess with S3
Move CloudWatch logs to S3 on a regular basis with Lambda
[Python 3.8 ~] How to define a recursive function smartly with a lambda expression
Send images taken with ESP32-WROOM-32 to AWS (API Gateway → Lambda → S3)
[SAM] Try using RDS Proxy with Lambda (Python) [user/pass, IAM authentication]
I tried ChatOps with Slack x API Gateway x Lambda (Python) x RDS
Process the gzip file UNLOADed with Redshift with Python of Lambda, gzip it again and upload it to S3
ImportError when trying to use gcloud package with AWS Lambda Python version
[AWS] Using ini files with Lambda [Python]
Try to reproduce color film with Python
Try logging in to qiita with Python
Change Python 64bit environment to 32bit environment with Anaconda
English speech recognition with python [speech to text]
Convert memo at once with Python 2to3
I want to do it with Python lambda Django, but I will stop
HTML email with image to send with python
Memo to ask for KPI with python
Python to remember only with hello, worlds
Output color characters to pretty with python
Passwordless authentication with RDS and IAM (Python)
PUT gzip directly to S3 in Python
Introduction to Python Image Inflating Image inflating with ImageDataGenerator