Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

DMS can't create the data collector (IAM correclty created)

1

Hello, We have a hard time setting a DMS "Data Collector". It's the first time we use this service and there is probably something we don't get but it's not obvious.

We selected an existing s3 bucket and an IAM role that fit. To be precise, we created an IAM role with the policy "DMS - Fleet Advisor", as suggested in the documentation and in the "readmore" from the error message we always have. All the documentation and videos we found also go in that direction. It seems it's not supposed to be more complicated than just adding the correct IAM role. But in all cases, we always have this message :

DMS can't create the data collector The DMS console uses AWS Identity and Access Management (IAM) policies for better security and flexibility. Some of your actions are currently restricted by these policies. Create the service-linked role for DMS Fleet Advisor to use all features of the DMS data collector. Contact your AWS administrator if you need help.

I would like to know if there is another aspect to handle. Maybe in the bucket itself ? (all public access are blocked but that seems logical).

Any help to understand this is very welcome.

Nicolas,

Topics
Migration & ModernizationSecurity, Identity, & Compliance
Tags
AWS Database Migration ServiceIAM Policies
Language
English
asked a year ago816 views
4 Answers
1

Hello.

Have you created the DMS Fleet service link role correctly?
I think the service-linked role needs to have the following trust policy set.
https://docs.aws.amazon.com/dms/latest/userguide/slr-services-fa.html#create-slr-fa

{
 "Version": "2012-10-17",
 "Statement": [
    {
     "Sid": "",
     "Effect": "Allow",
     "Principal": {
       "Service": [
         "dms.amazonaws.com",
         "dms-fleet-advisor.amazonaws.com"
        ]
      },
     "Action": "sts:AssumeRole"
    }
  ]
}
EXPERT
answered a year ago
EXPERT
reviewed a year ago
  • Nicolas
    a year ago

    Yes my policy is exacly like that.

    The steps i follow are really simples :

    • i create a new role
    • i chose "AWS Service" as Trusted entity type
    • in the select, i chose "DMS - Fleet Advisor"
    • then i validate and save the configuration.

    I checked the policy applied with this configuration and it's indeed exactly the same JSON as yours.

1

This does not work for me either.

I followed the guide here: https://docs.aws.amazon.com/dms/latest/userguide/fa-resources.html and created the roles VIA Cloudformation. (thus they should be 100% correct!)

Now regardless of I choose the FleetAdvisorS3Role OR the AWSServiceRoleForDMSFleetAdvisor role to create the collector, I receive the same error.

And since there are no real details as to exactly what is broken it is very impossible to triage to fix.

answered a year ago
1

So, as I was playing with other areas of DMS (setting up a source endpoint using secrets in SecretManager) it yelped with a PROPER error message for the role I created to grant access to the secret. It stated it needed DMS trust access to dms.us-east-1.amazonaws.com!

So I added that domain to the list of Principal Services in the FleetAdvisorS3Role and it actually worked and created the collector.

Can we have the documentation updated to reflect this need of having the service with the region in the domain as being required?

answered a year ago
0

I also struggled with documentation.

  • Have used the cloudformation: https://docs.aws.amazon.com/dms/latest/userguide/samples/dms-fleetadvisor-iam-slr-s3.zip
  • Wanted to create dta collector with very general error message
  • And as described by Edwards extending: FleetAdvisorS3Role helped: console.aws.amazon.com/iam/home?region=eu-central-1#/roles/details/FleetAdvisorS3Role-eu-central-1?section=trust_relationships
  • So please adapt the Cloudformation templates or documentation here.
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content