Copying an encrypted DB cluster snapshot by using the Amazon CLI or Amazon RDS API
Use the procedures in the following sections to copy an encrypted DB cluster snapshot by using the Amazon Web Services Management Console, Amazon CLI, or Amazon RDS API.
To cancel a copy operation once it is in progress, delete the target DB cluster
snapshot identified by
--target-db-cluster-snapshot-identifier or
TargetDBClusterSnapshotIdentifier while that DB cluster snapshot is
in copying status.
To copy a DB cluster snapshot using the Amazon Web Services Management Console, see Copying a DB cluster snapshot with the Amazon Web Services Management Console.
To copy a DB cluster snapshot, use the Amazon CLI copy-db-cluster-snapshot command. If you are copying the snapshot to another Amazon Web Services Region, run the command in the Amazon Web Services Region to which the snapshot will be copied.
The following options are used to copy an encrypted DB cluster snapshot:
-
--source-db-cluster-snapshot-identifier– The identifier for the encrypted DB cluster snapshot to be copied. If you are copying the snapshot to another Amazon Web Services Region, this identifier must be in the ARN format for the source Amazon Web Services Region. -
--target-db-cluster-snapshot-identifier– The identifier for the new copy of the encrypted DB cluster snapshot. -
--kms-key-id– The KMS key identifier for the key to use to encrypt the copy of the DB cluster snapshot.You can optionally use this option if the DB cluster snapshot is encrypted, you copy the snapshot in the same Amazon Web Services Region, and you want to specify a new KMS key to encrypt the copy. Otherwise, the copy of the DB cluster snapshot is encrypted with the same KMS key as the source DB cluster snapshot.
You must use this option if the DB cluster snapshot is encrypted and you are copying the snapshot to another Amazon Web Services Region. In that case, you must specify a KMS key for the destination Amazon Web Services Region.
The following code example copies the encrypted DB cluster snapshot from the US West (Oregon) Region to the US East (N. Virginia) Region. The command is called in the US East (N. Virginia) Region.
Example
For Linux, macOS, or Unix:
aws rds copy-db-cluster-snapshot \ --source-db-cluster-snapshot-identifierarn:aws-cn:rds:us-west-2:123456789012:cluster-snapshot:aurora-cluster1-snapshot-20161115\ --target-db-cluster-snapshot-identifiermyclustersnapshotcopy\ --kms-key-idmy-us-east-1-key
For Windows:
aws rds copy-db-cluster-snapshot ^ --source-db-cluster-snapshot-identifierarn:aws-cn:rds:us-west-2:123456789012:cluster-snapshot:aurora-cluster1-snapshot-20161115^ --target-db-cluster-snapshot-identifiermyclustersnapshotcopy^ --kms-key-idmy-us-east-1-key
To copy a DB cluster snapshot, use the Amazon RDS API CopyDBClusterSnapshot operation. If you are copying the snapshot to another Amazon Web Services Region, perform the action in the Amazon Web Services Region to which the snapshot will be copied.
The following parameters are used to copy an encrypted DB cluster snapshot:
-
SourceDBClusterSnapshotIdentifier– The identifier for the encrypted DB cluster snapshot to be copied. If you are copying the snapshot to another Amazon Web Services Region, this identifier must be in the ARN format for the source Amazon Web Services Region. -
TargetDBClusterSnapshotIdentifier– The identifier for the new copy of the encrypted DB cluster snapshot. -
KmsKeyId– The KMS key identifier for the key to use to encrypt the copy of the DB cluster snapshot.You can optionally use this parameter if the DB cluster snapshot is encrypted, you copy the snapshot in the same Amazon Web Services Region, and you specify a new KMS key to use to encrypt the copy. Otherwise, the copy of the DB cluster snapshot is encrypted with the same KMS key as the source DB cluster snapshot.
You must use this parameter if the DB cluster snapshot is encrypted and you are copying the snapshot to another Amazon Web Services Region. In that case, you must specify a KMS key for the destination Amazon Web Services Region.
-
PreSignedUrl– If you are copying the snapshot to another Amazon Web Services Region, you must specify thePreSignedUrlparameter. ThePreSignedUrlvalue must be a URL that contains a Signature Version 4 signed request for theCopyDBClusterSnapshotaction to be called in the source Amazon Web Services Region where the DB cluster snapshot is copied from. To learn more about using a presigned URL, see CopyDBClusterSnapshot.
The following code example copies the encrypted DB cluster snapshot from the US West (Oregon) Region to the US East (N. Virginia) Region. The action is called in the US East (N. Virginia) Region.
Example
https://rds.us-east-1.amazonaws.com/ ?Action=CopyDBClusterSnapshot &KmsKeyId=my-us-east-1-key &PreSignedUrl=https%253A%252F%252Frds.us-west-2.amazonaws.com%252F %253FAction%253DCopyDBClusterSnapshot %2526DestinationRegion%253Dus-east-1 %2526KmsKeyId%253Dmy-us-east-1-key %2526SourceDBClusterSnapshotIdentifier%253Darn%25253Aaws%25253Ards%25253Aus-west-2%25253A123456789012%25253Acluster-snapshot%25253Aaurora-cluster1-snapshot-20161115 %2526SignatureMethod%253DHmacSHA256 %2526SignatureVersion%253D4 %2526Version%253D2014-10-31 %2526X-Amz-Algorithm%253DAWS4-HMAC-SHA256 %2526X-Amz-Credential%253DAKIADQKE4SARGYLE%252F20161117%252Fus-west-2%252Frds%252Faws4_request %2526X-Amz-Date%253D20161117T215409Z %2526X-Amz-Expires%253D3600 %2526X-Amz-SignedHeaders%253Dcontent-type%253Bhost%253Buser-agent%253Bx-amz-content-sha256%253Bx-amz-date %2526X-Amz-Signature%253D255a0f17b4e717d3b67fad163c3ec26573b882c03a65523522cf890a67fca613 &SignatureMethod=HmacSHA256 &SignatureVersion=4 &SourceDBClusterSnapshotIdentifier=arn%3Aaws%3Ards%3Aus-west-2%3A123456789012%3Acluster-snapshot%3Aaurora-cluster1-snapshot-20161115 &TargetDBClusterSnapshotIdentifier=myclustersnapshotcopy &Version=2014-10-31 &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=AKIADQKE4SARGYLE/20161117/us-east-1/rds/aws4_request &X-Amz-Date=20161117T221704Z &X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date &X-Amz-Signature=da4f2da66739d2e722c85fcfd225dc27bba7e2b8dbea8d8612434378e52adccf