Why can't I see Amazon CloudWatch Logs for an AWS Database Migration Service (AWS DMS) task?
Short description
To view the CloudWatch Logs for your AWS DMS task, confirm the following:
- Amazon CloudWatch is enabled on the AWS DMS task.
- The dms-cloudwatch-logs-role AWS Identity and Access Management (IAM) role is created. The IAM role has the correct permissions policy, and has the correct trust relationship for AWS DMS to assume the role.
Resolution
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
First, enable CloudWatch logging for your task, if you haven't already. To enable CloudWatch logging, your task must be in a Stopped or Failed state.
If CloudWatch logging is enabled for your task and you still can't view the logs, confirm that you have the required IAM role. Open the IAM console, and then choose Roles from the navigation pane. Confirm that dms-cloudwatch-logs-role is listed. If you created the task using the AWS Command Line Interface (AWS CLI) or the dms-cloudwatch-logs-role role wasn't created because the account doesn't have sufficient permissions, then create the role with the required policies using the AWS CLI or follow these steps:
1. Open the IAM console, and then choose Roles from the navigation pane.
2. Choose Create role.
3. Choose AWS service from Select type of trusted entity. Doing this allows the AWS service in the next step to perform actions on your behalf.
4. Choose DMS from Choose a use case. This creates the following trust relationship policy so that AWS DMS can assume the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "dms.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
5. Choose Next: Permissions.
6. Enter AmazonDMSCloudWatchLogsRole in the search field. Then, choose the policy to grant AWS DMS access to CloudWatch.
7. Choose Next: Tags.
8. Optionally, add metadata to the role by using tags as key-value pairs.
9. Choose Next: Review.
10. For Role name, enter dms-cloudwatch-logs-role.
Note: The role name dms-cloudwatch-logs-role is case-sensitive, so be sure to enter the role name in lower case.
11. Role description is filled, and you can add or edit the description as needed.
12. Chose Create role.
After the role is created, you can use CloudWatch Logs to monitor your AWS DMS task.
Related information
Monitoring AWS DMS tasks