I'm trying to test endpoint connection from DMS Replication Instance,
DMS (3.4.7) RI instance (running in Acnt A) is attempting to get a secret from SecretsManager (running in Acnt B) using VPC Interface endpoint, but errors out with the following.
Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to retrieve secret. Unable to find Secrets Manager secret, Application-Detailed-Message: Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<erandomStrng>' The secrets_manager get secret value failed: User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/aaaaa-<randomStrng> because no session policy allows the secretsmanager:GetSecretValue action Not retriable error: <AccessDeniedException> User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<randomStrng>' because no session policy allows the secrets
DMSRole
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:us-east-1:acntAaaaa:secret:/dmsdemo/aaaaa-<randomStrng>",
"Effect": "Allow"
},
{
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-east-1:acnt:key/ddddddddddd",
"Effect": "Allow"
}
]
}
Resource Policy on Secret
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : [ "arn:aws:iam::acntAaaaaa:root", "arn:aws:iam::acntBbbbbbb:root" ]
},
"Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ],
"Resource" : "*"
} ]
}
Any thoughts on what was missing in permissions that is restricting the access to secret
Secrets Manager can be in any account. GetSecretValue should not fail. The same scenario was working with Previous DMS engine 3.4.6
In that case i would suggest opening a case with support to check this.
Sure thing