Reputation: 1116
AWS DMS - Database Migration Service SYSTEM ERROR MESSAGE:The IAM Role arn:aws:iam::<account_id>:role/dms-vpc-role is not configured properly
I am trying to create a a DMS (Database Migration Service) Instance but I am getting the following error:
SYSTEM ERROR MESSAGE:The IAM Role arn:aws:iam::<account_id>:role/dms-vpc-role is not configured properly
What role should I create and to what I should assign it to?
Upvotes: 18
Views: 27278
Answers (4)
Reputation: 21
For the first time I create an IAM role without granting it to a specific resource.I was very suspicious at first but I was quite sure that the solution proposed by @Andreu Gallofré will work after verifying with Terraform. For people who are interested in creating dms-vpc-role with Terraform,here is the https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_replication_instance
Upvotes: 0
Reputation: 15936
For those using cloudformation, here is the yaml version of the template:
---
AWSTemplateFormatVersion: "2010-09-09"
Description: creates the dms-vpc-role needed for dms subnet groups
Resources:
Policy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: "allows dms vpc management"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Resource: "*"
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeAvailabilityZones
- ec2:DescribeInternetGateways
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
- ec2:DescribeVpcs
- ec2:DeleteNetworkInterface
- ec2:ModifyNetworkInterfaceAttribute
ManagedPolicyName: dms-vpc-management
Role:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "dms.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies: []
ManagedPolicyArns:
- !Ref Policy
RoleName: dms-vpc-role
Upvotes: 1
Reputation: 1673
Seems like they changed the IAM roles, if anyone is trying to do this now, the simplest solution is to create a replication instance in the AWS console and the dms-vpc-role will be automatically created.
Then you can delete that 'temporal' instance and run the cloudformation/aws cli to create the instance that you want.
If you want to create the role by hand, the policy attached has to be AmazonDMSVPCManagementRole
And contains the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": "*"
}
]
}
Upvotes: 21
Reputation: 1116
You will need to allow DMS to assume a role:
- create a file dmsAssumeRolePolicyDocument.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "dms.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Create the Role:
aws iam create-role --role-name dms-vpc-role --assume-role-policy-document file:///tmp/dmsAssumeRolePolicyDocument.json
- Attach the role:
aws iam attach-role-policy --role-name dms-vpc-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole
Now you can go ahead and create the DMS instance in the console or using the awscli
Upvotes: 12
Related Questions
- AWS DMS task fails
- AWS DMS issues after the migration
- AWS Data Migration Service (DMS) not moving identity, foreign keys, default values, indexes
- AWS IAM role does not exist or is not attachable
- IAM role is not assigned an instance profile
- AWS - migration failed with error Value of column '' in table '' was truncated to 32768 bytes
- AWS DMS Error - SQL Server to MySQL migration
- aws data migration service not picking any source table
- AWS DMS - Task failed when migrating Oracle Database
- AWS DMS can not start migration