Learn how to resolve the Access Denied trying to call AWS Backup service error in AWS by fixing IAM roles, vault access policies, and permissions. Our AWS Support Team is always here to help you.
How to Resolve Access Denied trying to call AWS Backup service
When you hit the Access Denied trying to call AWS Backup service error, it usually happens at the worst possible time, right when you need your backups to work. This error shows up when permissions are missing or policies are misconfigured. It can appear while using the AWS Management Console, CLI, or SDKs.
Now, instead of going around in circles, let’s walk through the real reasons this happens and what you can do about it.
An Overview
Why does this error occur?
The Access Denied trying to call AWS Backup service message often comes down to one of these:
- The destination backup vault doesn’t have a proper vault access policy.
- The vault isn’t shared by the external account you’re trying to use.
- IAM roles, SCPs, or resource-based permissions are restrictive.
Resolution 1: Add a vault access policy for cross-account copies
One common cause is when the destination backup vault doesn’t allow copies from a source account. To resolve this, you must allow the backup:CopyIntoBackupVault action on the destination vault access policy.
Here’s an example policy you can apply. Don’t forget to replace SourceAccountID with your source account ID.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SourceAccountID:root"
},
"Action": "backup:CopyIntoBackupVault",
"Resource": "*"
}
]
}Additional troubleshooting with organization or OU
Sometimes, you want the destination vault to accept backups not just from one account but from an entire AWS Organization or OU. In that case, make sure the vault access policy includes the organization ID or OU ID.
Example for allowing an entire organization:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "backup:CopyIntoBackupVault",
"Resource": "",
"Principal": "",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": [
"o-xxxxxxxx11"
]
}
}
}]
}Example for allowing a specific OU:
Be sure to enter the aws:PrincipalOrgPaths condition key correctly.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "backup:CopyIntoBackupVault",
"Resource": "",
"Principal": "",
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths": [
"o-xxxxxxxx11/r-xxxx/ou-[OU]/*"
]
}
}
}]
}Resolution 2: Allow the source account on the destination vault
Another simple but effective fix is allowing your source AWS account directly on the destination vault access policy. Again, replace SourceAccountID with your source AWS account ID.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SourceAccountID:root"
},
"Action": "backup:CopyIntoBackupVault",
"Resource": "*"
}
]
}Resolution 3: Share the backup vault
If you’re working across accounts, the error also happens when the destination vault hasn’t been shared. AWS Backup lets you share a backup vault with one account, multiple accounts, or your entire organization. Ensure that the vault is shared properly before running your operations.
[If needed, Our team is available 24/7 for additional assistance.]
Conclusion
The Access Denied trying to call AWS Backup service error usually boils down to permissions and vault policies. By:
- Adding the correct backup:CopyIntoBackupVault permissions,
- Updating vault access policies with account IDs, Org IDs, or OUs,
- And sharing the destination vault properly,
…you can get rid of the issue quickly. Always test after applying changes to confirm the error is gone.
The key takeaway is that AWS Backup relies heavily on IAM roles, policies, and vault permissions. Get those right, and you won’t have to worry about access denied errors stopping your backup operations again.
