Copying an encrypted DB cluster snapshot by using the AWS CLI or Amazon RDS API
Use the procedures in the following sections to copy an encrypted DB cluster snapshot by using the AWS Management Console, AWS CLI, or Amazon RDS API.
To cancel a copy operation once it is in progress, delete the target DB cluster
snapshot identified by
--target-db-cluster-snapshot-identifier
or
TargetDBClusterSnapshotIdentifier
while that DB cluster snapshot is
in copying status.
To copy a DB cluster snapshot using the AWS Management Console, see Copying a DB cluster snapshot with the AWS Management Console.
To copy a DB cluster snapshot, use the AWS CLI copy-db-cluster-snapshot command. If you are copying the snapshot to another AWS Region, run the command in the AWS Region to which the snapshot will be copied.
The following options are used to copy an encrypted DB cluster snapshot:
-
--source-db-cluster-snapshot-identifier
– The identifier for the encrypted DB cluster snapshot to be copied. If you are copying the snapshot to another AWS Region, this identifier must be in the ARN format for the source AWS Region. -
--target-db-cluster-snapshot-identifier
– The identifier for the new copy of the encrypted DB cluster snapshot. -
--kms-key-id
– The KMS key identifier for the key to use to encrypt the copy of the DB cluster snapshot.You can optionally use this option if the DB cluster snapshot is encrypted, you copy the snapshot in the same AWS Region, and you want to specify a new KMS key to encrypt the copy. Otherwise, the copy of the DB cluster snapshot is encrypted with the same KMS key as the source DB cluster snapshot.
You must use this option if the DB cluster snapshot is encrypted and you are copying the snapshot to another AWS Region. In that case, you must specify a KMS key for the destination AWS Region.
The following code example copies the encrypted DB cluster snapshot from the US West (Oregon) Region to the US East (N. Virginia) Region. The command is called in the US East (N. Virginia) Region.
Example
For Linux, macOS, or Unix:
aws rds copy-db-cluster-snapshot \ --source-db-cluster-snapshot-identifier
arn:aws:rds:us-west-2:123456789012:cluster-snapshot:aurora-cluster1-snapshot-20161115
\ --target-db-cluster-snapshot-identifiermyclustersnapshotcopy
\ --kms-key-idmy-us-east-1-key
For Windows:
aws rds copy-db-cluster-snapshot ^ --source-db-cluster-snapshot-identifier
arn:aws:rds:us-west-2:123456789012:cluster-snapshot:aurora-cluster1-snapshot-20161115
^ --target-db-cluster-snapshot-identifiermyclustersnapshotcopy
^ --kms-key-idmy-us-east-1-key
The --source-region
parameter is required when you're copying an encrypted DB
cluster snapshot between the AWS GovCloud (US-East) and AWS GovCloud (US-West)
Regions. For --source-region
, specify the AWS Region of the
source DB instance. The AWS Region specified in
source-db-cluster-snapshot-identifier
must match the
AWS Region specified for --source-region
.
If --source-region
isn't specified, specify a
--pre-signed-url
value. A presigned
URL is a URL that contains a Signature Version 4 signed request
for the copy-db-cluster-snapshot
command that's called in the
source AWS Region. To learn more about the pre-signed-url
option,
see copy-db-cluster-snapshot in the AWS CLI Command Reference.
To copy a DB cluster snapshot, use the Amazon RDS API CopyDBClusterSnapshot operation. If you are copying the snapshot to another AWS Region, perform the action in the AWS Region to which the snapshot will be copied.
The following parameters are used to copy an encrypted DB cluster snapshot:
-
SourceDBClusterSnapshotIdentifier
– The identifier for the encrypted DB cluster snapshot to be copied. If you are copying the snapshot to another AWS Region, this identifier must be in the ARN format for the source AWS Region. -
TargetDBClusterSnapshotIdentifier
– The identifier for the new copy of the encrypted DB cluster snapshot. -
KmsKeyId
– The KMS key identifier for the key to use to encrypt the copy of the DB cluster snapshot.You can optionally use this parameter if the DB cluster snapshot is encrypted, you copy the snapshot in the same AWS Region, and you specify a new KMS key to use to encrypt the copy. Otherwise, the copy of the DB cluster snapshot is encrypted with the same KMS key as the source DB cluster snapshot.
You must use this parameter if the DB cluster snapshot is encrypted and you are copying the snapshot to another AWS Region. In that case, you must specify a KMS key for the destination AWS Region.
-
PreSignedUrl
– If you are copying the snapshot to another AWS Region, you must specify thePreSignedUrl
parameter. ThePreSignedUrl
value must be a URL that contains a Signature Version 4 signed request for theCopyDBClusterSnapshot
action to be called in the source AWS Region where the DB cluster snapshot is copied from. To learn more about using a presigned URL, see CopyDBClusterSnapshot.
The following code example copies the encrypted DB cluster snapshot from the US West (Oregon) Region to the US East (N. Virginia) Region. The action is called in the US East (N. Virginia) Region.
Example
https://rds.us-east-1.amazonaws.com/ ?Action=CopyDBClusterSnapshot &KmsKeyId=my-us-east-1-key &PreSignedUrl=https%253A%252F%252Frds.us-west-2.amazonaws.com%252F %253FAction%253DCopyDBClusterSnapshot %2526DestinationRegion%253Dus-east-1 %2526KmsKeyId%253Dmy-us-east-1-key %2526SourceDBClusterSnapshotIdentifier%253Darn%25253Aaws%25253Ards%25253Aus-west-2%25253A123456789012%25253Acluster-snapshot%25253Aaurora-cluster1-snapshot-20161115 %2526SignatureMethod%253DHmacSHA256 %2526SignatureVersion%253D4 %2526Version%253D2014-10-31 %2526X-Amz-Algorithm%253DAWS4-HMAC-SHA256 %2526X-Amz-Credential%253DAKIADQKE4SARGYLE%252F20161117%252Fus-west-2%252Frds%252Faws4_request %2526X-Amz-Date%253D20161117T215409Z %2526X-Amz-Expires%253D3600 %2526X-Amz-SignedHeaders%253Dcontent-type%253Bhost%253Buser-agent%253Bx-amz-content-sha256%253Bx-amz-date %2526X-Amz-Signature%253D255a0f17b4e717d3b67fad163c3ec26573b882c03a65523522cf890a67fca613 &SignatureMethod=HmacSHA256 &SignatureVersion=4 &SourceDBClusterSnapshotIdentifier=arn%3Aaws%3Ards%3Aus-west-2%3A123456789012%3Acluster-snapshot%3Aaurora-cluster1-snapshot-20161115 &TargetDBClusterSnapshotIdentifier=myclustersnapshotcopy &Version=2014-10-31 &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=AKIADQKE4SARGYLE/20161117/us-east-1/rds/aws4_request &X-Amz-Date=20161117T221704Z &X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date &X-Amz-Signature=da4f2da66739d2e722c85fcfd225dc27bba7e2b8dbea8d8612434378e52adccf
The PreSignedUrl
parameter is required when you are copying an encrypted DB
cluster snapshot between the AWS GovCloud (US-East) and AWS GovCloud (US-West)
Regions. The PreSignedUrl
value must be a URL that contains a
Signature Version 4 signed request for the CopyDBClusterSnapshot
operation to be called in the source AWS Region where the DB cluster snapshot
is copied from. To learn more about using a presigned URL, see CopyDBClusterSnapshot in the Amazon RDS API Reference.
To automatically rather than manually generate a presigned URL, use the AWS CLI copy-db-cluster-snapshot command with the
--source-region
option instead.