Problem Description
Amazon S3 backup jobs in Druva CloudRanger fail during execution with an "Internal error" status in the management console.
Cause
The backup failure occurs when the encryption authorization (KMS/E-Key association) has not been configured or has been removed from the CloudRanger console under Storage Rules $\rightarrow$ Encryption.
Without this authorization, CloudRanger lacks the required permissions to decrypt the source resources or interact with encrypted storage destinations, leading to an AWS API authorization failure during object metadata retrieval.
Traceback
The following log snippet indicates that the backup agent fails to retrieve the required S3 parameters because access is explicitly forbidden (HTTP 403):
level=warn ts=2026-03-05T00:53:10.923127599Z filename=execute.go:345 method=getPhotonParams message="Failed to download params.json, using default values" Error="failed to download params.json from S3: Failed to get object metadata: operation error S3: HeadObject, failed to release initial token after request error, https response error StatusCode: 403, RequestID: HMVGN7RDTFD1M5VB, HostID: 5T/lrAiNSF6InW38xe7OClLZIlsdYI21cyJOz5r+ePqqPTQ9pCox9q5MBDtiXan9Y4IAzbA9L5M=, api error Forbidden: Forbidden"
level=error ts=2026-03-05T00:53:11.184711559Z filename=middleware.go:61 message="Rest call failed with non-retryable service error"
Resolution
Log in to the Druva CloudRanger console.
Navigate to the top gear icon (Settings) or specific backup destination and select Storage Rules $\rightarrow$ Encryption (or Manage Authorizations).
Add or update the encryption authorization by linking the appropriate data encryption keys (E-Key) or client credentials for the affected AWS Account and Region.
Go to the Jobs page and retry the failed S3 backup jobs.
Verify that the job status changes to Successful.