Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

DMS Endpoint Connection Test Failed with Secret Manager

0

Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to retrieve secret. Unable to find Secrets Manager secret, Application-Detailed-Message: Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:<region>:<account>:secret:XXXXXXX' The secrets_manager get secret value failed: curlCode: 7, Couldn't connect to server Too many retries: curlCode: 7, Couldn't connect to server

Hi, I'm doing a DMS Endpoint connection test between Priavate VPCs. I'm fighting the above error.

I set it up as below.

  • VPC1: Replication instance
  • VPC2 : Mysql RDS (admin password with secret manager)
  • The VPC is on the same account.

I also created a SecretManager VPC Endpoint on VPC1,

and the IAM Role connected to the DMS endpoint... This role has the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": [
                "arn:aws:secretsmanager:<region>:<account>:secret:XXXXXXX",
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:<region>:<account>:key/*"
        }
    ]
}

Here is the role trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "dms.amazonaws.com",
                    "dms.<region>.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

but the connection is not possible.

If I test the endpoint connection without using SecretManager with the same user password value, it will connect well. What's the problem? Please help me.

Topics
Migration & ModernizationDatabaseSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
MySQLAWS Identity and Access ManagementAWS Database Migration ServiceAWS PrivateLinkAWS Secrets Manager
Language
English
asked 3 years ago6.2K views
1 Answer
0

Hello,

By looking at the error this seems issue with secrete manager ARN. Are you certain that ARN is right.

Here is one of the blog and documentation, to validate you if you had followed the same, although policy seems right.

https://aws.amazon.com/blogs/database/manage-your-aws-dms-endpoint-credentials-with-aws-secrets-manager/

https://docs.aws.amazon.com/dms/latest/userguide/security_iam_secretsmanager.html

You also check manually if you are able to retrieve secrete using cli, just to be sure secreteARN is right.

Here is one link for your reference: https://aws.amazon.com/blogs/security/how-to-connect-to-aws-secrets-manager-service-within-a-virtual-private-cloud/

Thanks Jitender

AWS
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content