Configure S3 access permissions for an offline source
When you create an offline source data provider, you provide an IAM role ARN (S3AccessRoleArn)
that allows DMS Schema Conversion to read DDL scripts from your S3 bucket. DMS assumes this role
to access the files at the S3 path you specify.
To configure S3 permissions for an offline source
-
Create an IAM role with a trust policy that allows the DMS service principal to assume it. Use the following trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "dms.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
Attach a permissions policy to the role that grants read access to your S3 bucket. The role requires the following permissions:
Required S3 permissions Action Purpose s3:GetObjectRead DDL script file content from the bucket s3:ListBucketList objects under the specified prefix to discover database directories and .sqlfilesNote
If your S3 bucket uses server-side encryption with AWS KMS (SSE-KMS), add
kms:Decryptpermission for the KMS key to the IAM role. If your bucket uses default Amazon S3 managed encryption (SSE-S3) or is not encrypted, no additional permissions are needed.The following example policy grants these permissions scoped to a specific bucket and prefix:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/prefix/*" }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket" } ] }Replace
amzn-s3-demo-bucketandprefixwith your bucket name and the path to your DDL scripts. -
When you create the offline source data provider, provide the role ARN as the
S3AccessRoleArnparameter and the S3 location of your DDL scripts as theS3Pathparameter.
Note
The IAM role must be in the same AWS account as the DMS resources. Cross-account S3 access is not supported for offline source data providers.