Creating a secret access policy and role

Follow the procedures below to create your secret access policy and role which allow DMS to access the user credentials for your source and target databases.

To create the secret access policy and role, which allows Amazon RDS to access AWS Secrets Manager to access your appropriate secret

Sign in to the AWS Management Console and open the AWS Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.
Choose Policies, then choose Create policy.

Choose JSON and enter the following policy to enable access to and decryption of your secret.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": secret_arn,
        },
        {
             "Effect": "Allow",
             "Action": [
                        "kms:Decrypt",
                        "kms:DescribeKey"
                      ],
             "Resource": kms_key_arn,
        }
     ]
}

Here, secret_arn is the ARN of your secret, which you can get from either SecretsManagerSecretId as appropriate, and kms_key_arn is the ARN of the AWS KMS key that you are using to encrypt your secret, as in the following example.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:us-east-2:123456789012:secret:MySQLTestSecret-qeHamH"
        },
        {
             "Effect": "Allow",
             "Action": [
                        "kms:Decrypt",
                        "kms:DescribeKey"
                      ],
             "Resource": "arn:aws:kms:us-east-2:123456789012:key/761138dc-0542-4e58-947f-4a3a8458d0fd"
        }
     ]
}

Note

If you use the default encryption key created by AWS Secrets Manager, you do not have to specify the AWS KMS permissions for kms_key_arn.

If you want your policy to provide access to both secrets, simply specify an additional JSON resource object for the other secret_arn.

Review and create the policy with a friendly name and optional description.
Choose Roles, then choose Create role.
Choose AWS service as the type of trusted entity.
Choose DMS from the list of services as the trusted service, then choose Next: Permissions.
Look up and attach the policy you created in step 4, then proceed through adding any tags and review your role. At this point, edit the trust relationships for the role to use your Amazon RDS regional service principal as the trusted entity. This principal has the following format.
```
dms.region-name.amazonaws.com
```
Here, region-name is the name of your region, such as us-east-1. Thus, an Amazon RDS regional service principal for this region follows.
```
dms.us-east-1.amazonaws.com
dms-data-migrations.amazonaws.com
```

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Creating IAM resources

Creating IAM role for DMS