By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

One DMS Endpoint is Failing to Find Existing Secret

0

There exists many DMS Endpoints that are able to access RDS instances using a Secrets Manager Secret.

There is one endpoint that is configured like all the rest, however, when the test-connection command is issued the result is an error.

Test Endpoint failed: Application-Status: 1020912, Application-Message: Cannot connect to SQL Server Unable to find Secrets Manager secret, Application-Detailed-Message: Failed to retrieve secret. Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:us-east-1:XXXXXXXXX:secret:XXX-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj-vFN1l7'

Another task using the same endpoint failed with a slightly different error:

Test Endpoint failed: Application-Status: 1020912, Application-Message: Cannot connect to SQL Server Unable to find Secrets Manager secret, Application-Detailed-Message: Failed to retrieve secret. Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:us-east-1:XXXX:secret:XXX-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj-vFN1l7' The secrets_manager get secret value failed: curlCode: 7, Couldn't connect to server Too many retries: curlCode: 7, Couldn't connect to server

The list-secrets command returns a secret with the arn used in the failing Endpoint. dms list-secrets



...
 {
    "ARN": "arn:aws:secretsmanager:us-east-1:XXXX:secret:XXX-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj-vFN1l7",
    "Name": "XXX-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj",
     ...
 }
...

The get-secret-value command returns the value of the secret. dms get-secret-value --secret-id XXX-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj

 {
    "ARN": "arn:aws:secretsmanager:us-east-1:986204609104:secret:crem-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj-vFN1l7",
    "Name": "crem-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj",
    "VersionId": "52C346EC-13B1-46A8-946E-665C3B1559CF",
    ...
 }

I don't think this is a network configuration issue because I would expect to see a timeout error, plus other endpoints are able to retrieve the secret.

Any ideas on what the issue could be?

Here is the policy being used for this:

{
    "Statement": [
        {
            "Action": "secretsmanager:GetSecretValue",
            "Effect": "Allow",
            "Resource": "arn:aws:secretsmanager:us-east-1:xxxx:secret:xxx-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj-vFN1l7"
        },
        {
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:us-east-1:xxxx:key/xxxx"
        }
    ],
    "Version": "2012-10-17"
}

There is an iam role with the above policy attachment with an assume role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "dms.us-east-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

The iam role above is attached to the DMS Endpoint.

There also exists a well configured VPC endpoint for com.amazonaws.us-east-1.secretsmanager.

Other endpoints, configured the same way, are able to access the RDS instances without error.

Topics
Migration & ModernizationSecurity, Identity, & Compliance
Tags
AWS Database Migration ServiceAWS Secrets Manager
Language
English
profile picture
Ross Bush
asked a year ago452 views
1 Answer
1
Accepted Answer

Hi,

The first thing is to check the DMS IAM policy, The secret:getSecret must be specified. If you work in a private network, Do not forget to create a Secret manager endpoint. This should fix your issue.

Melfani
answered a year ago
  • Ross Bush
    a year ago

    I updated question with policy attachmenst and a VPC endpoint for secretsmaneger is being used.

  • Melfani
    a year ago

    Have you tried to use specify the arn of the secrets without the characters added automatically to the name ?

  • Ross Bush
    a year ago

    I will try that. I am going to leave this open for a bit, however, it more than likely that something is not well configured. Another endpoint using the same secret returned a similar error, but the following was appended "Couldn't connect to server". The first error did not have that appendage, hence my question.

  • Ross Bush
    a year ago

    There is just many parts. In this one particular aws account there are three separate environments, separated and maintained by tagging and resource naming. One of the environment's DMS Security Group was not attached as an inbound source to the shared secretsmanager security group :/ Thanks for making me think about it a bit more.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content