amazon-web-services aws-lambda amazon-rds snapshot amazon-kms

PreSignedUrl could not be authenticated. (Service: AmazonRDS; Status Code: 400; Error Code - while copy RDS Snapshot to different region

I have a lambda function which copies the RDS Snapshot from Eu-West-3 to Eu-Central-1 region.

Here is my code:

public class CopySnapshot  implements RequestHandler<String, String> {

    public String handleRequest(String input, Context context) {

        AmazonRDS client = AmazonRDSClientBuilder.standard().build();

        DescribeDBSnapshotsRequest request = new DescribeDBSnapshotsRequest()
                .withDBInstanceIdentifier(System.getenv("DB_IDENTIFIER"))
                .withSnapshotType(System.getenv("SNAPSHOT_TYPE"))
                .withIncludeShared(true)
                .withIncludePublic(false); 

        DescribeDBSnapshotsResult response = client.describeDBSnapshots(request);

        System.out.println("Found the snapshot "+response);

        // Get the latest snapshot

        List<DBSnapshot> list = response.getDBSnapshots();

        if(list.size() > 0)
        {
            DBSnapshot d = list.get(list.size()-1);

            String snapshotArn=d.getDBSnapshotArn();

            System.out.println(snapshotArn);

            AmazonRDS client_dr_region = AmazonRDSClientBuilder
                                            .standard()
                                            .withRegion(Regions.EU_CENTRAL_1)
                                            .build();

            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yy-MM-dd-HH-mm");

            CopyDBSnapshotRequest copyDbSnapshotRequest = new CopyDBSnapshotRequest()
                                        .withSourceDBSnapshotIdentifier(snapshotArn)
                                        .withSourceRegion("eu-west-3")
                                        .withKmsKeyId(System.getenv("OTHER_KMS_KEY_ID"))                                        
                                        .withTargetDBSnapshotIdentifier("dr-snapshot-copy"+"-"+simpleDateFormat.format(new Date()));

            DBSnapshot response_snapshot_copy = client_dr_region
                                                    .copyDBSnapshot(copyDbSnapshotRequest)
                                                    .withKmsKeyId(System.getenv("OTHER_KMS_KEY_ID"))
                                                    .withSourceRegion("eu-west-3");

            System.out.println("Snapshot request submitted successfully "+response_snapshot_copy);

            return "Snapshot copy request successfully submitted";
        }
        else 
            return "No Snapshot found";
    }
}

While executing the code it shows below error:




{
  "errorMessage": "PreSignedUrl could not be authenticated. (Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterValue; Request ID: 7f794176-a21f-448e-acb6-8a5832925cab)",
  "errorType": "com.amazonaws.services.rds.model.AmazonRDSException",
  "stackTrace": [
    "com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1726)",
    "com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1381)",
    "com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1127)",
    "com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:784)",
    "com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:745)",
    "com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)",
    "com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)",
    "com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)",
    "com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)",
    "com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)",
    "com.amazonaws.services.rds.AmazonRDSClient.doInvoke(AmazonRDSClient.java:9286)",
    "com.amazonaws.services.rds.AmazonRDSClient.invoke(AmazonRDSClient.java:9253)",
    "com.amazonaws.services.rds.AmazonRDSClient.invoke(AmazonRDSClient.java:9242)",
    "com.amazonaws.services.rds.AmazonRDSClient.executeCopyDBSnapshot(AmazonRDSClient.java:1262)",
    "com.amazonaws.services.rds.AmazonRDSClient.copyDBSnapshot(AmazonRDSClient.java:1234)",
    "fr.aws.rds.CopySnapshot.handleRequest(CopySnapshot.java:59)",
    "fr.aws.rds.CopySnapshot.handleRequest(CopySnapshot.java:19)"
  ]
}

From env variable I am fetching the KMS ID of EU-Central-1 with is the destination region for copying snapshot.

The lambda has full permission (for trial purpose) on KMS but it does not work. Added an inline policy to the specific lambda role, with describe, create grant using the key (full ARN mentioned) but still shows same error. The key is enabled but not sure why such error.

Many thanks for your valuable feedback.

Solution

This I have resolved it using, one more attribute added to it - sourceregion.

CopyDBSnapshotRequest copyDbSnapshotRequest = new CopyDBSnapshotRequest()
                    .withSourceDBSnapshotIdentifier(snapshotArn)
                    .withSourceRegion(System.getenv("SOURCE_REGION")) 
                    .withKmsKeyId(System.getenv("OTHER_KMS_KEY_ID"))                                        
                    .withTargetDBSnapshotIdentifier("dr-snapshot-copy"+"-"+simpleDateFormat.format(new Date()));

            DBSnapshot response_snapshot_copy = client_dr_region
                    .copyDBSnapshot(copyDbSnapshotRequest)
                    .withKmsKeyId(System.getenv("OTHER_KMS_KEY_ID"))
                    .withSourceRegion(System.getenv("SOURCE_REGION"));

and voila, it worked