How to Fix “Database backup/restore option not enabled” Error When Restoring SQL Server RDS with Proper IAM Role Configuration


4 views

When attempting to restore an MS SQL Server RDS database, many developers encounter the perplexing error: "Database backup/restore option is not enabled yet or is in the process of being enabled. Please try again later." This typically occurs when the SQLSERVER_BACKUP_RESTORE option isn't properly configured in your RDS option group.

The root issue stems from AWS's restriction on modifying default option groups. As noted in the AWS documentation:

Default option groups can't be modified.
You must create a custom option group to add options.

Here's how to properly set up the backup/restore functionality:

1. Create a new option group:

aws rds create-option-group \
    --option-group-name my-sql-backup-group \
    --engine-name sqlserver-se \
    --major-engine-version 15.00 \
    --option-group-description "Option group for SQL Server backup/restore"

2. The Critical IAM Role Setup:

The most common pitfall is incorrect IAM permissions. The role needs:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::your-backup-bucket",
                "arn:aws:s3:::your-backup-bucket/*"
            ]
        }
    ]
}

When you see "IAM role ARN value is invalid or does not include the required permissions", check:

  • The trust relationship policy allows RDS to assume the role
  • The role has the necessary S3 permissions
  • The role exists in the same region as your RDS instance

Here's a complete trust policy example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "rds.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

While the AWS Console might show validation issues (like the red highlight mentioned), the CLI often provides better error messages. Try adding the option via CLI:

aws rds add-option-to-option-group \
    --option-group-name my-sql-backup-group \
    --options "OptionName=SQLSERVER_BACKUP_RESTORE,IamRoleArn=arn:aws:iam::123456789012:role/YourRDSBackupRole" \
    --apply-immediately

After configuration, verify with:

aws rds describe-option-groups \
    --option-group-name my-sql-backup-group

Look for "SQLSERVER_BACKUP_RESTORE" in the output with status "active".

When attempting to restore a Microsoft SQL Server RDS database, many developers encounter the error:

"Database backup/restore option is not enabled yet or is in the process of being enabled. Please try again later."

AWS RDS requires a custom option group (not the default one) to enable SQLSERVER_BACKUP_RESTORE. The key constraints are:

  • Default option groups cannot be modified
  • Existing RDS instances can't change option groups after creation
  • New option groups require proper IAM permissions

Here's the complete workflow to resolve this:

1. Create a New Option Group

aws rds create-option-group \
    --option-group-name sql-backup-restore-group \
    --engine-name sqlserver-se \
    --major-engine-version 14.00 \
    --option-group-description "Option group for SQL Server backup/restore"

2. Create the Required IAM Role

The most reliable method is through AWS Console:

  1. Navigate to RDS → Option Groups
  2. Select your custom option group
  3. Click "Add Option"
  4. Select "SQLSERVER_BACKUP_RESTORE"
  5. Under IAM Role, choose "Create a New Role"

3. Troubleshooting IAM Role Creation

If you encounter the red highlight error on role creation:

  • Ensure the role name follows IAM conventions (alphanumeric + _+=,.@-)
  • Verify you have IAM:CreateRole permission
  • Check CloudTrail logs for detailed errors

Alternative CLI Approach

If console fails, try creating the role manually:

aws iam create-role \
    --role-name RDSBackupRestoreRole \
    --assume-role-policy-document '{
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Principal": {"Service": "rds.amazonaws.com"},
            "Action": "sts:AssumeRole"
        }]
    }'

aws iam attach-role-policy \
    --role-name RDSBackupRestoreRole \
    --policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole

After role creation, add the option:

aws rds add-option-to-option-group \
    --option-group-name sql-backup-restore-group \
    --options "OptionName=SQLSERVER_BACKUP_RESTORE,IamRoleName=RDSBackupRestoreRole" \
    --apply-immediately
  • This configuration requires RDS instance modification (downtime)
  • Test in non-production first
  • Monitor CloudWatch logs during the process