Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

DMSStack-DMSRole-xxxx/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue

0

I'm trying to test endpoint connection from DMS Replication Instance, DMS (3.4.7) RI instance (running in Acnt A) is attempting to get a secret from SecretsManager (running in Acnt B) using VPC Interface endpoint, but errors out with the following.

Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to retrieve secret. Unable to find Secrets Manager secret, Application-Detailed-Message: Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<erandomStrng>' The secrets_manager get secret value failed: User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/aaaaa-<randomStrng> because no session policy allows the secretsmanager:GetSecretValue action Not retriable error: <AccessDeniedException> User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<randomStrng>' because no session policy allows the secrets

DMSRole

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:us-east-1:acntAaaaa:secret:/dmsdemo/aaaaa-<randomStrng>", "Effect": "Allow" }, { "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:acnt:key/ddddddddddd", "Effect": "Allow" } ] }

Resource Policy on Secret

{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "AWS" : [ "arn:aws:iam::acntAaaaaa:root", "arn:aws:iam::acntBbbbbbb:root" ] }, "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource" : "*" } ] }

Any thoughts on what was missing in permissions that is restricting the access to secret

Themen
Migration und ModernisierungSicherheit, Identität & Konformität
Tags
AWS Datenbank-MigrationsdienstAWS GeheimnismanagerIAM-Richtlinien
Sprache
English
AWS
rePost-User-0396193
gefragt vor 2 Jahren313 Aufrufe
1 Antwort
0

it seems you are accessing secrets in account B from account A which is hosting the dms instance. I would suggest having secret/secretIAMrole/dms in one account say A while the credentials/endpoint details as defined in secret could be of acct B.

AWS
subhashr
beantwortet vor 2 Jahren
  • rePost-User-0396193
    vor 2 Jahren

    Secrets Manager can be in any account. GetSecretValue should not fail. The same scenario was working with Previous DMS engine 3.4.6

  • subhashr
    vor 2 Jahren

    In that case i would suggest opening a case with support to check this.

  • rePost-User-0396193
    vor 2 Jahren

    Sure thing

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt