DMSStack-DMSRole-xxxx/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue

0

I'm trying to test endpoint connection from DMS Replication Instance, DMS (3.4.7) RI instance (running in Acnt A) is attempting to get a secret from SecretsManager (running in Acnt B) using VPC Interface endpoint, but errors out with the following.

Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to retrieve secret. Unable to find Secrets Manager secret, Application-Detailed-Message: Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<erandomStrng>' The secrets_manager get secret value failed: User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/aaaaa-<randomStrng> because no session policy allows the secretsmanager:GetSecretValue action Not retriable error: <AccessDeniedException> User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<randomStrng>' because no session policy allows the secrets

DMSRole

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:us-east-1:acntAaaaa:secret:/dmsdemo/aaaaa-<randomStrng>", "Effect": "Allow" }, { "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:acnt:key/ddddddddddd", "Effect": "Allow" } ] }

Resource Policy on Secret

{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "AWS" : [ "arn:aws:iam::acntAaaaaa:root", "arn:aws:iam::acntBbbbbbb:root" ] }, "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource" : "*" } ] }

Any thoughts on what was missing in permissions that is restricting the access to secret

1 Answer
0

it seems you are accessing secrets in account B from account A which is hosting the dms instance. I would suggest having secret/secretIAMrole/dms in one account say A while the credentials/endpoint details as defined in secret could be of acct B.

AWS
answered a year ago
  • Secrets Manager can be in any account. GetSecretValue should not fail. The same scenario was working with Previous DMS engine 3.4.6

  • In that case i would suggest opening a case with support to check this.

  • Sure thing

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions