How to Fix “Database backup/restore option not enabled” Error When Restoring SQL Server RDS with Proper IAM Role Configuration


12 views

When attempting to restore an MS SQL Server RDS database, many developers encounter the perplexing error: "Database backup/restore option is not enabled yet or is in the process of being enabled. Please try again later." This typically occurs when the SQLSERVER_BACKUP_RESTORE option isn't properly configured in your RDS option group.

The root issue stems from AWS's restriction on modifying default option groups. As noted in the AWS documentation:

Default option groups can't be modified.
You must create a custom option group to add options.

Here's how to properly set up the backup/restore functionality:

1. Create a new option group:

aws rds create-option-group \
    --option-group-name my-sql-backup-group \
    --engine-name sqlserver-se \
    --major-engine-version 15.00 \
    --option-group-description "Option group for SQL Server backup/restore"

2. The Critical IAM Role Setup:

The most common pitfall is incorrect IAM permissions. The role needs:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::your-backup-bucket",
                "arn:aws:s3:::your-backup-bucket/*"
            ]
        }
    ]
}

When you see "IAM role ARN value is invalid or does not include the required permissions", check:

  • The trust relationship policy allows RDS to assume the role
  • The role has the necessary S3 permissions
  • The role exists in the same region as your RDS instance

Here's a complete trust policy example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "rds.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

While the AWS Console might show validation issues (like the red highlight mentioned), the CLI often provides better error messages. Try adding the option via CLI:

aws rds add-option-to-option-group \
    --option-group-name my-sql-backup-group \
    --options "OptionName=SQLSERVER_BACKUP_RESTORE,IamRoleArn=arn:aws:iam::123456789012:role/YourRDSBackupRole" \
    --apply-immediately

After configuration, verify with:

aws rds describe-option-groups \
    --option-group-name my-sql-backup-group

Look for "SQLSERVER_BACKUP_RESTORE" in the output with status "active".

When attempting to restore a Microsoft SQL Server RDS database, many developers encounter the error:

"Database backup/restore option is not enabled yet or is in the process of being enabled. Please try again later."

AWS RDS requires a custom option group (not the default one) to enable SQLSERVER_BACKUP_RESTORE. The key constraints are:

  • Default option groups cannot be modified
  • Existing RDS instances can't change option groups after creation
  • New option groups require proper IAM permissions

Here's the complete workflow to resolve this:

1. Create a New Option Group

aws rds create-option-group \
    --option-group-name sql-backup-restore-group \
    --engine-name sqlserver-se \
    --major-engine-version 14.00 \
    --option-group-description "Option group for SQL Server backup/restore"

2. Create the Required IAM Role

The most reliable method is through AWS Console:

  1. Navigate to RDS → Option Groups
  2. Select your custom option group
  3. Click "Add Option"
  4. Select "SQLSERVER_BACKUP_RESTORE"
  5. Under IAM Role, choose "Create a New Role"

3. Troubleshooting IAM Role Creation

If you encounter the red highlight error on role creation:

  • Ensure the role name follows IAM conventions (alphanumeric + _+=,.@-)
  • Verify you have IAM:CreateRole permission
  • Check CloudTrail logs for detailed errors

Alternative CLI Approach

If console fails, try creating the role manually:

aws iam create-role \
    --role-name RDSBackupRestoreRole \
    --assume-role-policy-document '{
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Principal": {"Service": "rds.amazonaws.com"},
            "Action": "sts:AssumeRole"
        }]
    }'

aws iam attach-role-policy \
    --role-name RDSBackupRestoreRole \
    --policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole

After role creation, add the option:

aws rds add-option-to-option-group \
    --option-group-name sql-backup-restore-group \
    --options "OptionName=SQLSERVER_BACKUP_RESTORE,IamRoleName=RDSBackupRestoreRole" \
    --apply-immediately
  • This configuration requires RDS instance modification (downtime)
  • Test in non-production first
  • Monitor CloudWatch logs during the process