您可以在没有明确创建的访问密钥和秘密密钥的情况下使用 AWS MGN(应用程序迁移)吗?
[英]Can you use AWS MGN (Application Migration) without an explicitly created access key and secret key?
问题描述
I have a situation where I need to migrate an on-prem environment to AWS.
我有一种情况需要将本地环境迁移到 AWS。 The tool of choice is AWS MGN (Application Migration).选择的工具是 AWS MGN(应用程序迁移)。 I am following AWS's documentation on loading and using the agent on the source application:我正在关注 AWS 关于在源应用程序上加载和使用代理的文档:
https://docs.aws.amazon.com/mgn/latest/ug/windows-agent.htmlhttps://docs.aws.amazon.com/mgn/latest/ug/windows-agent.html
The documentation clearly states the need for an access key and secret key.该文档明确说明需要访问密钥和秘密密钥。 Our environment is set up with a root account with limited users and the team accesses the AWS environment in other accounts (eg dev/test/prod/etc.) via SSO.我们的环境设置了一个具有有限用户的根帐户,团队通过 SSO 访问其他帐户(例如 dev/test/prod/etc.)中的 AWS 环境。 The MGN service also creates four roles: MGN 服务还创建了四个角色:
- AWSApplicationMigrationConversionServerRole AWSApplicationMigrationConversionServerRole
- AWSApplicationMigrationMGHRole AWSApplicationMigrationMGHR角色
- AWSApplicationMigrationReplicationServerRole AWSApplicationMigrationReplicationServerRole
- AWSServiceRoleForApplicationMigrationService AWSServiceRoleForApplicationMigrationService
I know you can use 'aws sts assume role' to glean off the keys needed, eg:我知道您可以使用“aws sts assume role”来收集所需的密钥,例如:
AWS_SESSION_TOKEN=$(echo "$test_assume_role_json" | jq -r '.Credentials.SessionToken')
export AWS_SESSION_TOKEN
AWS_ACCESS_KEY_ID=$(echo "$test_assume_role_json" | jq -r '.Credentials.AccessKeyId')
export AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY=$(echo "$test_assume_role_json" | jq -r '.Credentials.SecretAccessKey')
These roles are create by AWS and I can't edit them to try and give my SSO user access (I can't 'aws sts assume role' these from the CLI), so assuming these roles directly is not possible.这些角色是由 AWS 创建的,我无法编辑它们来尝试授予我的 SSO 用户访问权限(我无法从 CLI 中“aws sts 承担角色”),因此无法直接承担这些角色。 I also cannot create a role that uses AWS-managed policies.我也无法创建使用 AWS 托管策略的角色。
I am not really sure if what I want to do is possible, or if there is a simple solution that I'm just not seeing.我不太确定我想做的事情是否可行,或者是否有一个我只是没有看到的简单解决方案。
EDIT : I was actually successful in creating a test role with the following policies on the account that I wanted to migrate into:编辑:我实际上成功地在我想迁移到的帐户上使用以下策略创建了一个测试角色:
- AdministratorAccess (AWS managed policy) AdministratorAccess(AWS 托管策略)
- AWSApplicationMigrationAgentPolicy (AWS managed policy) AWSApplicationMigrationAgentPolicy(AWS 托管策略)
- AWSApplicationMigrationFullAccess (AWS managed policy) AWSApplicationMigrationFullAccess(AWS 托管策略)
- AWSApplicationMigrationMGHAccess (AWS managed policy) AWSApplicationMigrationMGHAccess(AWS 托管策略)
- AWSApplicationMigrationReadOnlyAccess (AWS managed policy) AWSApplicationMigrationReadOnlyAccess(AWS 托管策略)
- AWSApplicationMigrationEC2Access (AWS managed policy) AWSApplicationMigrationEC2Access(AWS 托管策略)
- AWSApplicationMigrationConversionServerPolicy (AWS managed policy) AWSApplicationMigrationConversionServerPolicy(AWS 托管策略)
- AWSApplicationMigrationReplicationServerPolicy (AWS managed policy) AWSApplicationMigrationReplicationServerPolicy(AWS 托管策略)
I then ran assume-role to get the access key and secret key:然后我运行 assume-role 来获取访问密钥和秘密密钥:
C:\>aws sts assume-role --role-arn "arn:aws:iam::<REDACTED>:role/ApplicationMigrationTester" --role-session-name test --profile test
{
"Credentials": {
"AccessKeyId": "<REDACTED>",
"SecretAccessKey": "<REDACTED>",
"SessionToken": "<REDACTED>",
"Expiration": "2021-07-15T22:55:08+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "<REDACTED>":test",
"Arn": "arn:aws:sts::<REDACTED>:assumed-role/ApplicationMigrationTester/test"
}
}
I tried to run the agent again as Administrator using those vaules when prompted:当出现提示时,我尝试使用这些值再次以管理员身份运行代理:
C:\>.\AwsReplicationWindowsInstaller.exe
The installation of the AWS Replication Agent has started.
AWS Region Name: us-east-1
AWS Access Key ID: <REDACTED>
AWS Secret Access Key:
Verifying that the source server has enough free disk space to install the AWS Replication Agent.
(a minimum of 2 GB of free disk space is required)
Identifying volumes for replication.
Choose the disks you want to replicate. Your disks are: c:
To replicate some of the disks, type the path of the disks, separated with a comma (for example, C:,D:). To replicate all disks, press Enter:
Disk to replicate identified: c:0 of size 620 GiB
All volumes for replication were successfully identified.
Downloading the AWS Replication Agent onto the source server...
Failed to validate AWS credentials
Installation failed.
Learn more about installation issues in our documentation at https://docs.aws.amazon.com/mgn/latest/ug/Troubleshooting-Agent-Issues.html#Error-Installation-Failed
Press Enter to close...
As you can see, it errored out.如您所见,它出错了。 I put in a ticket to AWS to see if my approach is even currently feasible.我向 AWS 投了一张票,看看我的方法目前是否可行。 When they respond, I will update.当他们回应时,我会更新。
1 个解决方案
解决方案1
0 已采纳 2022-02-07 20:26:53
You only should provide the credentials from the command line (powerShell or CMD)您只应从命令行(powerShell 或 CMD)提供凭据
C:\Downloads>.\AwsReplicationWindowsInstaller.exe --region us-east-1 --aws-access-key-id AKIA4HN2LIGPIERPMPXT --aws-secret-access-key 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
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.