Prerequisites for working with DMS Schema Conversion - Amazon Database Migration Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Prerequisites for working with DMS Schema Conversion

To set up DMS Schema Conversion, complete the following tasks. Then you can set up an instance profile, add data providers, and create a migration project.

Create a VPC based on Amazon VPC

In this step, you create a virtual private cloud (VPC) in your Amazon Web Services account. This VPC is based on the Amazon Virtual Private Cloud (Amazon VPC) service and contains your Amazon resources.

To create a VPC for DMS Schema Conversion
  1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at

  2. Choose Create VPC.

  3. On the Create VPC page, enter the following settings:

    • Resources to createVPC and more

    • Name tag auto-generation – Choose Auto-generate and enter a globally unique name. For example, enter sc-vpc.

    • IPv4 CIDR block10.0.1.0/24

    • NAT gatewaysIn 1 AZ

    • VPC endpointsNone

  4. Keep the rest of the settings as they are, and then choose Create VPC.

  5. Choose Subnets, and take a note of your public and private subnet IDs.

    To connect to your Amazon RDS databases, create a subnet group that includes public subnets.

    To connect to your on-premises databases, create a subnet group that includes private subnets. For more information, see Step 1: Create an instance profile.

  6. Choose NAT gateways. Choose your NAT gateway and take a note of your Elastic IP address.

    Configure your network to make sure that Amazon DMS can access your source on-premises database from this NAT gateway's public IP address. For more information, see Using an internet connection to a VPC.

Use this VPC when you create your instance profile and target databases on Amazon RDS.

Create an Amazon S3 bucket

To store information from your migration project, create an Amazon S3 bucket. DMS Schema Conversion uses this Amazon S3 bucket to save items such as assessment reports, converted SQL code, information about database schema objects, and so on.

To create an Amazon S3 bucket for DMS Schema Conversion
  1. Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at

  2. Choose Create bucket.

  3. On the Create bucket page, select a globally unique name for your S3 bucket. For example, enter sc-s3-bucket.

  4. For Amazon Web Services Region, choose your Region.

  5. For Bucket Versioning, choose Enable.

  6. Keep the rest of the settings as they are, and then choose Create bucket.

Store database credentials in Amazon Secrets Manager

Store your source and target database credentials in Amazon Secrets Manager. Make sure that you replicate these secrets to your Amazon Web Services Region. DMS Schema Conversion uses these secrets to connect to your databases in the migration project.

To store your database credentials in Amazon Secrets Manager
  1. Sign in to the Amazon Web Services Management Console and open the Amazon Secrets Manager console at

  2. Choose Store a new secret.

  3. The Choose secret type page opens. For Secret type, choose the type of database credentials to store:

    • Credentials for Amazon RDS database – Choose this option to store credentials for your Amazon RDS database. For Credentials, enter the credentials for your database. For Database, choose your database.

    • Credentials for other database – Choose this option to store credentials for your source Oracle or SQL Server databases. For Credentials, enter the credentials for your database.

    • Other type of secret – Choose this option to store only the user name and password to connect to your database. Choose Add row to add two key-value pairs. Make sure that you use username and password for key names. For values related to these keys, enter the credentials for your database.

  4. For Encryption key, choose the Amazon KMS key that Secrets Manager uses to encrypt the secret value. Choose Next.

  5. On the Configure secret page, enter a descriptive Secret name. For example, enter sc-source-secret or sc-target-secret.

  6. Choose Replicate secret and then for Amazon Web Services Region choose your Region. Choose Next.

  7. On the Configure rotation page, choose Next.

  8. On the Review page, review your secret details, and then choose Store.

To store credentials for your source and target databases, repeat these steps.

Create IAM roles

Create Amazon Identity and Access Management (IAM) roles to use in your migration project. DMS Schema Conversion uses these IAM roles to access your Amazon S3 bucket and database credentials stored in Amazon Secrets Manager.

To create an IAM role that provides access to your Amazon S3 bucket
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at

  2. In the navigation pane, choose Roles.

  3. Choose Create role.

  4. On the Select trusted entity page, choose Amazon service. Choose DMS.

  5. Choose Next. The Add permissions page opens.

  6. For Filter policies, enter S3. Choose AmazonS3FullAccess.

  7. Choose Next. The Name, review, and create page opens.

  8. For Role name, enter a descriptive name. For example, enter sc-s3-role. Choose Create role.

  9. On the Roles page, enter sc-s3-role for Role name. Choose sc-s3-role.

  10. On the sc-s3-role page, choose the Trust relationships tab. Choose Edit trust policy.

  11. On the Edit trust policy page, edit the trust relationships for the role to use the service principal as the trusted entity.

  12. Choose Update trust policy.

To create an IAM role that provides access to Amazon Secrets Manager
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at

  2. In the navigation pane, choose Roles.

  3. Choose Create role.

  4. On the Select trusted entity page, choose Amazon service. Choose DMS.

  5. Choose Next. The Add permissions page opens.

  6. For Filter policies, enter Secret. Choose SecretsManagerReadWrite.

  7. Choose Next. The Name, review, and create page opens.

  8. For Role name, enter a descriptive name. For example, enter sc-secrets-manager-role. Choose Create role.

  9. On the Roles page, enter sc-secrets-manager-role for Role name. Choose sc-secrets-manager-role.

  10. On the sc-secrets-manager-role page, choose the Trust relationships tab. Choose Edit trust policy.

  11. On the Edit trust policy page, edit the trust relationships for the role to use and your Amazon DMS regional service principal as the trusted entities. This Amazon DMS regional service principal has the following format.

    Replace region-name the name of your Region, such as us-east-1.

    The following code example shows the principal for the us-east-1 Region.

    The following code example shows a trust policy for accessing Amazon DMS schema conversion.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }
  12. Choose Update trust policy.