AWS DMS Endpoint Password Rotation - Secrets Manager

Question

We store our passwords for our endpoints in secrets manager. These rotate every 7 days. We are noticing when the password rotates, the CDC then fails.

Is there a way to keep DMS updated with secrets manager, so when the password rotates, it updates in DMS and replication continues?

Florian Turnwald · Answer

EventBridge and Lambda will work, however AWS also provides native integration between DMS and Secrets Manager that handles rotations automatically without the need for manual task restarts or custom scripts.

**1. Use Native Secrets Manager Integration**

Instead of providing static credentials, you should configure your DMS Endpoint to use the Secret ARN directly. When the password rotates, DMS is designed to fetch the updated secret automatically.
- In the DMS Console, go to your Endpoint settings.
- Select "Use AWS Secrets Manager".
- Provide the Secret ID (ARN) and an IAM Role that has the secretsmanager:GetSecretValue permission.

**2. Ensure Correct IAM Permissions**

For this to work seamlessly during a rotation, the IAM role associated with the DMS instance must have a policy similar to this:

```

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:region:account:secret:secret-id"
        }
    ]
}

```
Benefit to the Solution with Lambda:
- No Downtime: You avoid the "stop and start" cycle which can take several minutes.
- Less Maintenance: You don't have to manage Lambda code or EventBridge triggers.
- Native Scaling: DMS handles the retrieval logic internally when a connection failure occurs due to an expired password.

Florian Turnwald · Answer

Regarding your last question - comment:

To use the native integration in Terraform, you need to replace the standard credential arguments in your aws_dms_endpoint resource with secrets_manager_arn and secrets_manager_access_role_arn.
Here is the required configuration:

**1. Update the DMS Endpoint**

Ensure you remove username and password fields to avoid conflicts.

```
resource "aws_dms_endpoint" "example" {
  endpoint_id   = "my-endpoint-id"
  endpoint_type = "source"
  engine_name   = "postgres" # or your engine

# Native integration
  secrets_manager_arn             = "arn:aws:secretsmanager:region:account:secret:name"
  secrets_manager_access_role_arn = aws_iam_role.dms_secrets_role.arn
}
```

**2. IAM Role for DMS**

DMS needs a trust relationship to assume the role and a policy to read the secret.

```
resource "aws_iam_role" "dms_secrets_role" {
  name = "dms-secrets-access-role"

assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = { Service = "dms.amazonaws.com" }
    }]
  })
}

resource "aws_iam_role_policy" "dms_secrets_policy" {
  role = aws_iam_role.dms_secrets_role.id
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect   = "Allow"
      Action   = "secretsmanager:GetSecretValue"
      Resource = "arn:aws:secretsmanager:region:account:secret:name"
    }]
  })
}
```

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_endpoint#secrets_manager_arn

PS: Make sure your secret is stored in the standard JSON format (including username, password, host, and port) so DMS can map the fields automatically.

SHAJAM · Answer

I think you will need to stop and start the DMS task. The easiest way to achieve this is to EventBridge and Lambda. In EventBridge, you can check when the password has changed. Then, trigger the Lambda to stop the task. Once the task has stopped, start the task. The DMS task can take a couple of minutes to stop and start.

AWS DMS Endpoint Password Rotation - Secrets Manager

Add your answer

Relevant content