AWS DMS - Database Migration Service SYSTEM ERROR MESSAGE:The IAM Role arn:aws:iam::<account_id>:role/dms-vpc-role is not configured properly

Asked 24/10, 2019 at 13:21 Answered 24/5, 2024 at 15:16

Solved amazon-web-services amazon-iam aws-dms

I am trying to create a a DMS (Database Migration Service) Instance but I am getting the following error:

SYSTEM ERROR MESSAGE:The IAM Role arn:aws:iam::<account_id>:role/dms-vpc-role is not configured properly

What role should I create and to what I should assign it to?

Alexis answered 24/10, 2019 at 13:21 Comment(1)

you have got any solution ? – Bauble 26/8, 2020 at 3:28

Seems like they changed the IAM roles, if anyone is trying to do this now, the simplest solution is to create a replication instance in the AWS console and the dms-vpc-role will be automatically created.

Then you can delete that 'temporal' instance and run the cloudformation/aws cli to create the instance that you want.

If you want to create the role by hand, the policy attached has to be AmazonDMSVPCManagementRole

And contains the following permissions:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ec2:CreateNetworkInterface",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeInternetGateways",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSubnets",
            "ec2:DescribeVpcs",
            "ec2:DeleteNetworkInterface",
            "ec2:ModifyNetworkInterfaceAttribute"
        ],
        "Resource": "*"
    }
]
}

Mealworm answered 23/3, 2020 at 13:0 Comment(4)

I can confirm that as of today dms-vpc-role is NOT created automatically from console. The role needs to be manually created and the AmazonDMSVPCManagementRole policy attached to it, as mentioned above. – Fez 21/4, 2021 at 19:21

I ran into this issue today and the console DID automatically create the dms-vpc-role when I created my replication instance. However, I ran into this issue because I was using a KMS key and dms-vpc-role did not have access to it. I changed my kms key to the default one to fix this issue. – Parts 3/3, 2023 at 16:38

As of Nov. 2023, although the "dms-vpc-role is not configured properly" error still occurs in the AWS Console after the first attempt to create a DMS Instance, the role and policy do actually exist, and a retry of the DMS creation will succeed. – Orts 15/11, 2023 at 4:18

yes, if you get this error, re-click the create button, DMS creation will create successful. – Wendell 8/6, 2024 at 7:18

You will need to allow DMS to assume a role:

create a file dmsAssumeRolePolicyDocument.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "dms.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the Role:

aws iam create-role --role-name dms-vpc-role --assume-role-policy-document file:///tmp/dmsAssumeRolePolicyDocument.json

Attach the role:

aws iam attach-role-policy --role-name dms-vpc-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole

Now you can go ahead and create the DMS instance in the console or using the awscli

Alexis answered 24/10, 2019 at 13:25 Comment(1)

This solution is incomplete, as it doesn't tell you where this role should be used, but only how to create it. In my DMS use case, the only place where I had to use it, was in the pre-migration assessment task, which can be edited to pick that role from the combo. I also needed read and write permissions to the S3 bucket that I linked to that task, such as S3FullAccess, or, if you want something more limited, AWSBackupServiceRolePolicyForS3Backup + AWSBackupServiceRolePolicyForS3Restore – Leolaleoline 25/3, 2024 at 21:39

For those using cloudformation, here is the yaml version of the template:

---
AWSTemplateFormatVersion: "2010-09-09"
Description: creates the dms-vpc-role needed for dms subnet groups
Resources:
  Policy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: "allows dms vpc management"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Resource: "*"
            Action:
              - ec2:CreateNetworkInterface
              - ec2:DescribeAvailabilityZones
              - ec2:DescribeInternetGateways
              - ec2:DescribeSecurityGroups
              - ec2:DescribeSubnets
              - ec2:DescribeVpcs
              - ec2:DeleteNetworkInterface
              - ec2:ModifyNetworkInterfaceAttribute
      ManagedPolicyName: dms-vpc-management
  Role:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "dms.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Policies: []
      ManagedPolicyArns:
        - !Ref Policy
      RoleName: dms-vpc-role

Disarticulate answered 16/8, 2023 at 1:7 Comment(1)

Thanks, 2ps! This fixed my issue, and now on to the next! – Sucrose 6/2, 2024 at 19:27

For the first time I create an IAM role without granting it to a specific resource.I was very suspicious at first but I was quite sure that the solution proposed by @Andreu Gallofré will work after verifying with Terraform. For people who are interested in creating dms-vpc-role with Terraform,here is the https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_replication_instance

Cerebro answered 24/5, 2024 at 15:16 Comment(0)

Recommended topics

Hot tags