View a markdown version of this page

Complete prerequisites for working with DMS Schema Conversion - AWS Database Migration Service

Complete prerequisites for working with DMS Schema Conversion

Before you create an instance profile, add data providers, and create a migration project, complete the following prerequisite tasks. These tasks configure the AWS resources that DMS Schema Conversion needs, such as a VPC, an Amazon S3 bucket, AWS Secrets Manager secrets, and IAM roles with permissions policies.

Console automates resource creation

When you create a migration project using the AWS Management Console, AWS DMS can automatically create the required IAM roles and Amazon S3 bucket on your behalf. If you prefer to create these resources manually, or if you use the AWS CLI or API, complete the following steps. For more information about creating migration projects, see Creating migration projects.

Configure VPC, Amazon S3, and Secrets Manager

Before you create IAM roles and policies, you need the following AWS resources for your migration project.

Amazon Virtual Private Cloud

You need a VPC with connectivity to your source and target databases from subnets in at least two Availability Zones. You can use an existing VPC that meets these requirements, or create a new one, for example named sc-vpc. For more information about network configuration, see Setting up a network for DMS Schema Conversion.

Amazon S3

You need an Amazon S3 bucket with versioning enabled to store assessment reports, converted SQL code, and database schema metadata. Create an Amazon S3 bucket in the same Region as your migration project, for example named amzn-s3-demo-bucket, or use an existing bucket that meets these requirements. DMS Schema Conversion supports only Amazon S3 buckets that use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3). DMS Schema Conversion doesn't support SSE-KMS, SSE-C, or Client-Side Encryption. For instructions on creating a bucket, see Creating a bucket in the Amazon S3 User Guide.

AWS Secrets Manager

Create JSON secrets in AWS Secrets Manager that contain username and password key-value pairs for your source and target databases, for example named sc-source-secret and sc-target-secret. Your secrets must be in the same AWS Region as your migration project. If you already have secrets that meet these requirements, you can reuse them. For instructions on creating secrets, see Create an AWS Secrets Manager secret in the AWS Secrets Manager User Guide.

Create IAM roles and policies

To use DMS Schema Conversion, create the following five IAM roles. Each role must use a trust policy that allows the AWS DMS service to assume the role.

Role name Permissions policy
sc-s3-role

Allows DMS Schema Conversion to store assessment reports, converted SQL code, and metadata in the Amazon S3 bucket:

{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketVersioning" ], "Resource": "arn:aws:s3:::amzn-s3-demo-bucket", "Condition": { "StringEquals": { "aws:ResourceAccount": "111122223333" } } }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "111122223333" } } } ] }
sc-source-secret-role

Allows DMS Schema Conversion to retrieve your source database credentials:

{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:sc-source-secret*" } ] }
sc-target-secret-role

Allows DMS Schema Conversion to retrieve your target database credentials:

{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:sc-target-secret*" } ] }
dms-vpc-role

AmazonDMSVPCManagementRole (AWS managed policy). See Creating the IAM roles to use with AWS DMS.

dms-cloudwatch-logs-role

AmazonDMSCloudWatchLogsRole (AWS managed policy). See Creating the IAM roles to use with AWS DMS.

Each role requires the following trust policy:

{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "dms.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

To create these resources, first create the policies, then create the roles and attach the corresponding policies. For instructions, see Creating IAM policies and Creating a role for an AWS service in the IAM User Guide.