Has anyone run into this issue with "not authorized to perform: dms:StartReplicationTask" while running data pipeline to schedule a Database Migration task?
An error occurred (AccessDeniedException) when calling the StartReplicationTask operation: User: arn:aws:sts::myaccount123:assumed-role/DataPipelineDefaultResourceRole/i-06cd6897b81348197 is not authorized to perform: dms:StartReplicationTask on resource: arn:aws:dms:us-east-1:myaccount123:task:PSNZBU57OTT54JOOABSMHV5WYI
errorStackTrace
amazonaws.datapipeline.taskrunner.TaskExecutionException: An error occurred (AccessDeniedException) when calling the StartReplicationTask operation: User: arn:aws:sts::myaccount123:assumed-role/DataPipelineDefaultResourceRole/i-06cd6897b81348197 is not authorized to perform: dms:StartReplicationTask on resource: arn:aws:dms:us-east-1:myaccount123:task:PSNZBU57OTT54JOOABSMHV5WYI at amazonaws.datapipeline.activity.ShellCommandActivity.runActivity(ShellCommandActivity.java:93) at amazonaws.datapipeline.objects.AbstractActivity.run(AbstractActivity.java:16) at amazonaws.datapipeline.taskrunner.TaskPoller.executeRemoteRunner(TaskPoller.java:136) at amazonaws.datapipeline.taskrunner.TaskPoller.executeTask(TaskPoller.java:105) at amazonaws.datapipeline.taskrunner.TaskPoller$1.run(TaskPoller.java:81) at private.com.amazonaws.services.datapipeline.poller.PollWorker.executeWork(PollWorker.java:76) at private.com.amazonaws.services.datapipeline.poller.PollWorker.run(PollWorker.java:53) at java.lang.Thread.run(Thread.java:748)
When I run this task
aws dms start-replication-task --replication-task-arn arn:aws:dms:us-east-1:myaccount123:task:PSNZBU57OTT54JOOABSMHV5WYI --start-replication-task-type reload-target
using AWSCLI as myself everything works fine.
It seems that I don't have right premission set up for STS and DataPipeline API to start the DMS task. I'm using the Data Pipepline web interface and have checked all the polices and roles are in place:
AmazonDMSCloudWatchLogsRole
AmazonDMSRedshiftS3Role
AmazonDMSVPCManagementRole
AWSMigrationHubDMSAccess
AmazonDynamoDBFullAccesswithDataPipeline
AmazonEC2RoleforDataPipelineRole
AWSDataPipeline_FullAccess
AWSDataPipelineRole
It seems that you don't have the right permission to execute the DMS task
from Data Pipeline, to do this, you need to make sure you have this IAM POLICY
assigned to the IAM ROLE
that has been used in your pipeline:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dms:StartReplicationTask"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
To clarify why you have been able to execute succesfully the task from the AWS CLI
: is because the CLI uses your configured credentials , and you may have assigned some full access role for DMS to your user. And for running it from Data Pipeline you need the permissions be assgined to a IAM Role.
PD: This is only a example of the permission that you need, you may need other permissions for your pipeline or you could need to restrict the policy more to only one or more resources.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.