Creating a secret access policy and role - Amazon Relational Database Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a secret access policy and role

Follow the procedures below to create your secret access policy and role which allow DMS to access the user credentials for your source and target databases.

To create the secret access policy and role, which allows Amazon RDS to access Amazon Secrets Manager to access your appropriate secret

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Identity and Access Management (IAM) console at https://console.amazonaws.cn/iam/.

  2. Choose Policies, then choose Create policy.

  3. Choose JSON and enter the following policy to enable access to and decryption of your secret.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": secret_arn,
        },
        {
             "Effect": "Allow",
             "Action": [
                        "kms:Decrypt",
                        "kms:DescribeKey"
                      ],
             "Resource": kms_key_arn,
        }
     ]
}

    Here, secret_arn is the ARN of your secret, which you can get from either SecretsManagerSecretId as appropriate, and kms_key_arn is the ARN of the Amazon KMS key that you are using to encrypt your secret, as in the following example.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:us-east-2:123456789012:secret:MySQLTestSecret-qeHamH"
        },
        {
             "Effect": "Allow",
             "Action": [
                        "kms:Decrypt",
                        "kms:DescribeKey"
                      ],
             "Resource": "arn:aws:kms:us-east-2:123456789012:key/761138dc-0542-4e58-947f-4a3a8458d0fd"
        }
     ]
}
    Note

    If you use the default encryption key created by Amazon Secrets Manager, you do not have to specify the Amazon KMS permissions for kms_key_arn.

    If you want your policy to provide access to both secrets, simply specify an additional JSON resource object for the other secret_arn.

  4. Review and create the policy with a friendly name and optional description.

  5. Choose Roles, then choose Create role.

  6. Choose Amazon service as the type of trusted entity.

  7. Choose DMS from the list of services as the trusted service, then choose Next: Permissions.

  8. Look up and attach the policy you created in step 4, then proceed through adding any tags and review your role. At this point, edit the trust relationships for the role to use your Amazon RDS regional service principal as the trusted entity. This principal has the following format.

    dms.region-name.amazonaws.com

    Here, region-name is the name of your region, such as us-east-1. Thus, an Amazon RDS regional service principal for this region follows.

    dms.us-east-1.amazonaws.com
dms-data-migrations.amazonaws.com