Creating DMS Source endpoint via Cloudformation causing "SecretsManagerSecretId is invalid error"
Hi, I am trying to create a DMS source endpoint using cloud formation. DMS retrieves the endpoint details (host, port, username, password) through the Secret that has been created. However, I am running into the following error when deploying the stack:
SecretsManagerSecretId arn:aws:secretsmanager:ca-central-1:xxxx:secret:yyyyy is invalid. (Service: AWSDatabaseMigrationService; Status Code: 400; Error Code: InvalidParameterValueException;)
Here is the Cfn template config:
DMSSourceEndpoint:
Type: "AWS::DMS::Endpoint"
Properties:
EndpointType: source
EngineName: mysql
MySqlSettings:
SecretsManagerAccessRoleArn: !GetAtt DMSSecretsAccessRole.Arn
SecretsManagerSecretId: !Ref SecretARN
I know it is not an issue with Secret access because I can create the endpoint through the console. However, it should be noted that the secret is located in another account and has been shared via resource and identity polices. Here's how the DMSSecretsAccessRole looks:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:ca-central-1:xxxx:secret:yyyy",
"Effect": "Allow"
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:ca-central-1:xxxx:key/zzzz",
"Effect": "Allow"
}
]
}
Trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "dms.ca-central-1.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Here's the cloudtrail output:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "bbbb:AWSCloudFormation",
"arn": "arn:aws:sts::aaaa:assumed-role/CloudformationRole/AWSCloudFormation",
"accountId": "aaaa",
"accessKeyId": "cccc",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "bbbb",
"arn": "arn:aws:iam::aaaa:role/CloudformationRole",
"accountId": "aaaa",
"userName": "CloudformationRole"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-10-26T19:29:28Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "cloudformation.amazonaws.com"
},
"eventTime": "2023-10-26T19:29:31Z",
"eventSource": "dms.amazonaws.com",
"eventName": "CreateEndpoint",
"awsRegion": "ca-central-1",
"sourceIPAddress": "cloudformation.amazonaws.com",
"userAgent": "cloudformation.amazonaws.com",
"errorCode": "InvalidParameterValueException",
"errorMessage": "SecretsManagerSecretId arn:aws:secretsmanager:ca-central-1:xxxx:secret:yyyy is invalid.",
"requestParameters": {
"endpointIdentifier": "DMSSourceEndpoint-LoxjGDUeMa7lGn8I",
"endpointType": "source",
"engineName": "mysql",
"password": "HIDDEN_DUE_TO_SECURITY_REASONS",
"tags": [],
"mySQLSettings": {
"secretsManagerAccessRoleArn": "arn:aws:iam::aaaa:role/DMSSecretsAccessRole",
"secretsManagerSecretId": "arn:aws:secretsmanager:ca-central-1:xxxx:secret:yyyy"
}
},
"responseElements": null,
"requestID": "wwww",
"eventID": "vvvv",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "aaaa",
"eventCategory": "Management"
}
TYIA
- 최신
- 최다 투표
- 가장 많은 댓글
Hi,
This blog post details exactly what you're trying to achieve: https://aws.amazon.com/blogs/database/configure-an-aws-dms-endpoint-to-access-cross-account-secrets-from-aws-secrets-manager/
Please, follow its guidance to be able to use the shared secret.
Best,
Didier
관련 콘텐츠
AWS 공식업데이트됨 2년 전
I am able to create the endpoint manually via the AWS console (used the tutorial above). It is the cloudformation stack that is resulting in this error.
I see now your problem: it's in "SecretsManagerSecretId: !Ref SecretARN" You give the secret full ARN while only the secret id is expected. I guess that !Ref SecretARN means that it is a parameter of your stack. Change the full ARN to only the id and it should work. Best. Didier