By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

DMS Endpoint Connection Test Failed with Secret Manager

0

Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to retrieve secret. Unable to find Secrets Manager secret, Application-Detailed-Message: Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:<region>:<account>:secret:XXXXXXX' The secrets_manager get secret value failed: curlCode: 7, Couldn't connect to server Too many retries: curlCode: 7, Couldn't connect to server

Hi, I'm doing a DMS Endpoint connection test between Priavate VPCs. I'm fighting the above error.

I set it up as below.

  • VPC1: Replication instance
  • VPC2 : Mysql RDS (admin password with secret manager)
  • The VPC is on the same account.

I also created a SecretManager VPC Endpoint on VPC1,

and the IAM Role connected to the DMS endpoint... This role has the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": [
                "arn:aws:secretsmanager:<region>:<account>:secret:XXXXXXX",
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:<region>:<account>:key/*"
        }
    ]
}

Here is the role trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "dms.amazonaws.com",
                    "dms.<region>.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

but the connection is not possible.

If I test the endpoint connection without using SecretManager with the same user password value, it will connect well. What's the problem? Please help me.

  • optonpo
    8 months ago

    I understand the absurd complexity--and actually appreciate it. What I'll never appreciate is AWS' horrific UX. Can't you run tests/errors BEFORE clicking submit? Can't AWS save migration projects & parameters as drafts prior to the 1,000 redirects? Can't AWS consolidate the process so that we're not chasing 10 tabs of configs...along with 10 tabs of re:Post articles? All at the low low starting price of ~$15/day. Insanity.

Topics
Migration & ModernizationSecurity, Identity, & ComplianceNetworking & Content DeliveryDatabase
Tags
AWS Database Migration ServiceAWS Identity and Access ManagementAWS PrivateLinkAWS Secrets ManagerMySQL
Language
English
rePost-User-7593213
asked a year ago2177 views
1 Answer
0

Hello,

By looking at the error this seems issue with secrete manager ARN. Are you certain that ARN is right.

Here is one of the blog and documentation, to validate you if you had followed the same, although policy seems right.

https://aws.amazon.com/blogs/database/manage-your-aws-dms-endpoint-credentials-with-aws-secrets-manager/

https://docs.aws.amazon.com/dms/latest/userguide/security_iam_secretsmanager.html

You also check manually if you are able to retrieve secrete using cli, just to be sure secreteARN is right.

Here is one link for your reference: https://aws.amazon.com/blogs/security/how-to-connect-to-aws-secrets-manager-service-within-a-virtual-private-cloud/

Thanks Jitender

AWS
Jitender
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content