Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Creating DMS Source endpoint via Cloudformation causing "SecretsManagerSecretId is invalid error"

0

Hi, I am trying to create a DMS source endpoint using cloud formation. DMS retrieves the endpoint details (host, port, username, password) through the Secret that has been created. However, I am running into the following error when deploying the stack:

SecretsManagerSecretId arn:aws:secretsmanager:ca-central-1:xxxx:secret:yyyyy is invalid. (Service: AWSDatabaseMigrationService; Status Code: 400; Error Code: InvalidParameterValueException;)

Here is the Cfn template config:

DMSSourceEndpoint:
    Type: "AWS::DMS::Endpoint"
    Properties: 
      EndpointType: source
      EngineName: mysql
      MySqlSettings:
           SecretsManagerAccessRoleArn: !GetAtt DMSSecretsAccessRole.Arn
           SecretsManagerSecretId: !Ref SecretARN

I know it is not an issue with Secret access because I can create the endpoint through the console. However, it should be noted that the secret is located in another account and has been shared via resource and identity polices. Here's how the DMSSecretsAccessRole looks:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret"
            ],
            "Resource": "arn:aws:secretsmanager:ca-central-1:xxxx:secret:yyyy",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:ca-central-1:xxxx:key/zzzz",
            "Effect": "Allow"
        }
    ]
}

Trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "dms.ca-central-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Here's the cloudtrail output:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "bbbb:AWSCloudFormation",
        "arn": "arn:aws:sts::aaaa:assumed-role/CloudformationRole/AWSCloudFormation",
        "accountId": "aaaa",
        "accessKeyId": "cccc",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "bbbb",
                "arn": "arn:aws:iam::aaaa:role/CloudformationRole",
                "accountId": "aaaa",
                "userName": "CloudformationRole"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-10-26T19:29:28Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "cloudformation.amazonaws.com"
    },
    "eventTime": "2023-10-26T19:29:31Z",
    "eventSource": "dms.amazonaws.com",
    "eventName": "CreateEndpoint",
    "awsRegion": "ca-central-1",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "InvalidParameterValueException",
    "errorMessage": "SecretsManagerSecretId arn:aws:secretsmanager:ca-central-1:xxxx:secret:yyyy is invalid.",
    "requestParameters": {
        "endpointIdentifier": "DMSSourceEndpoint-LoxjGDUeMa7lGn8I",
        "endpointType": "source",
        "engineName": "mysql",
        "password": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "tags": [],
        "mySQLSettings": {
            "secretsManagerAccessRoleArn": "arn:aws:iam::aaaa:role/DMSSecretsAccessRole",
            "secretsManagerSecretId": "arn:aws:secretsmanager:ca-central-1:xxxx:secret:yyyy"
        }
    },
    "responseElements": null,
    "requestID": "wwww",
    "eventID": "vvvv",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "aaaa",
    "eventCategory": "Management"
}

TYIA

Argomenti
Migrazione e modernizzazioneSicurezza, identità e conformitàGestione e amministrazioneAnalisiDatabase
Tag
Servizio di migrazione dei database AWSGestione identità e accesso AWSAWS CloudFormationScambio dati su AWSMySQL
Lingua
English
AWS
saj
posta 6 mesi fa523 visualizzazioni
1 Risposta
0

Hi,

This blog post details exactly what you're trying to achieve: https://aws.amazon.com/blogs/database/configure-an-aws-dms-endpoint-to-access-cross-account-secrets-from-aws-secrets-manager/

Please, follow its guidance to be able to use the shared secret.

Best,

Didier

profile pictureAWS
ESPERTO
Didier_Durand
con risposta 6 mesi fa
  • saj
    6 mesi fa

    I am able to create the endpoint manually via the AWS console (used the tutorial above). It is the cloudformation stack that is resulting in this error.

  • Didier_Durand ESPERTO
    6 mesi fa

    I see now your problem: it's in "SecretsManagerSecretId: !Ref SecretARN" You give the secret full ARN while only the secret id is expected. I guess that !Ref SecretARN means that it is a parameter of your stack. Change the full ARN to only the id and it should work. Best. Didier

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente