stackoom
  简体   繁体   中英

Data Pipeline AWSCLI to start AWS DMS Task --> not authorized to perform: dms:StartReplicationTask

 原文  2019-05-29 18:41:38       amazon-web-services

Question

Has anyone run into this issue with "not authorized to perform: dms:StartReplicationTask" while running data pipeline to schedule a Database Migration task? 

An error occurred (AccessDeniedException) when calling the StartReplicationTask operation: User: arn:aws:sts::myaccount123:assumed-role/DataPipelineDefaultResourceRole/i-06cd6897b81348197 is not authorized to perform: dms:StartReplicationTask on resource: arn:aws:dms:us-east-1:myaccount123:task:PSNZBU57OTT54JOOABSMHV5WYI
errorStackTrace

amazonaws.datapipeline.taskrunner.TaskExecutionException: An error occurred (AccessDeniedException) when calling the StartReplicationTask operation: User: arn:aws:sts::myaccount123:assumed-role/DataPipelineDefaultResourceRole/i-06cd6897b81348197 is not authorized to perform: dms:StartReplicationTask on resource: arn:aws:dms:us-east-1:myaccount123:task:PSNZBU57OTT54JOOABSMHV5WYI at amazonaws.datapipeline.activity.ShellCommandActivity.runActivity(ShellCommandActivity.java:93) at amazonaws.datapipeline.objects.AbstractActivity.run(AbstractActivity.java:16) at amazonaws.datapipeline.taskrunner.TaskPoller.executeRemoteRunner(TaskPoller.java:136) at amazonaws.datapipeline.taskrunner.TaskPoller.executeTask(TaskPoller.java:105) at amazonaws.datapipeline.taskrunner.TaskPoller$1.run(TaskPoller.java:81) at private.com.amazonaws.services.datapipeline.poller.PollWorker.executeWork(PollWorker.java:76) at private.com.amazonaws.services.datapipeline.poller.PollWorker.run(PollWorker.java:53) at java.lang.Thread.run(Thread.java:748)

When I run this task 

aws dms start-replication-task --replication-task-arn arn:aws:dms:us-east-1:myaccount123:task:PSNZBU57OTT54JOOABSMHV5WYI --start-replication-task-type reload-target

using AWSCLI as myself everything works fine.

It seems that I don't have right premission set up for STS and DataPipeline API to start the DMS task. I'm using the Data Pipepline web interface and have checked all the polices and roles are in place: 

AmazonDMSCloudWatchLogsRole 
AmazonDMSRedshiftS3Role 
AmazonDMSVPCManagementRole 
AWSMigrationHubDMSAccess 

AmazonDynamoDBFullAccesswithDataPipeline 
AmazonEC2RoleforDataPipelineRole 
AWSDataPipeline_FullAccess 
AWSDataPipelineRole

1 answers

solution1
 0  2019-10-14 17:43:35

It seems that you don't have the right permission to execute the DMS task from Data Pipeline, to do this, you need to make sure you have this IAM POLICY assigned to the IAM ROLE that has been used in your pipeline: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "dms:StartReplicationTask"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

To clarify why you have been able to execute succesfully the task from the AWS CLI : is because the CLI uses your configured credentials , and you may have assigned some full access role for DMS to your user. And for running it from Data Pipeline you need the permissions be assgined to a IAM Role.

PD: This is only a example of the permission that you need, you may need other permissions for your pipeline or you could need to restrict the policy more to only one or more resources.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS DMS Start replication task AWS DMS Replication task AWS DMS task fails AWS DMS task has been deleted, how to recover those deleted dms task created for data load AWS DMS can not start migration Creating an AWS DMS task using AWS CDK AWS DMS Replication Task Swap Usage issue Starting AWS DMS Replication Task in Terraform AWS DMS task error for Aurora PostgreSQL migration AWS DMS: Data not getting replicated to AWS Redshift
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM