Replication Instance Fails to Connect to DMS Migration Endpoint

0

I am trying to use the Database Migration Service to move data between an RDS instance and Redshift.

Everything is configured on the same private subnet and same security group.

My target endpoint is the redshift cluster whose auth is protected via AWS Secrets Manager. The private subnet is having an issue communicating with AWS Secrets Manager because it does not live within the private subnet.

I have created a VPC endpoint, assigned to the same security group and added an inbound traffic rule to my security group that says allow Https traffic from this security group.

I get an error when testing the connection between the target endpoint and the Replication Instance: "Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed in prepare imp for Redshift Failed to fetch Secrets Manager secret contents, possible reasons are missing secret attribute key or value, Application-Detailed-Message: Failed to retrieve secret. Failed to fetch Secrets Manager secret Arn 'REDACTED' contents, possible reasons are missing secret attribute key or value"

The secret it is trying to access is teh one created by redshift itself, I copied the full ARN. The role of the target endpoint is configured to allow GetSecretValue policy for this secret ARN as well.

2 Answers
2
Accepted Answer

The below document provides comprehensive guidance on setting up AWS DMS to securely access secrets stored in AWS Secrets Manager from within a private subnet, ensuring secure and reliable database migration operations. https://docs.aws.amazon.com/dms/latest/userguide/security_iam_secretsmanager.html

profile pictureAWS
EXPERT
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
profile picture
EXPERT
reviewed 4 months ago
profile picture
EXPERT
reviewed 4 months ago
1

Ensure that the IAM role assumed by the replication instance has sufficient permissions to access the secret in AWS Secrets Manager. Specifically, the role must have the secretsmanager:GetSecretValue permission for the secret ARN. Double-check the policy attached to the role to confirm this permission is granted.

profile pictureAWS
EXPERT
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions