Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

DMS 3.5.4 — "Network error has occurred" when writing to OpenSearch target with CaptureDdls=false

0

Problem

AWS DMS replication task (full-load-and-cdc) fails with "Network error has occurred" (RECOVERABLE_ERROR) when CaptureDdls=false is set on the PostgreSQL source endpoint with PluginName=pgoutput.

The task discovers all tables successfully but fails before loading any data into OpenSearch.

Environment

  • DMS Engine: 3.5.4
  • DMS Instance: dms.r5.4xlarge
  • Source: Aurora PostgreSQL 16.11
  • Target: OpenSearch 2.17 (VPC, no FGAC, open access policy Principal: *)
  • Migration type: full-load-and-cdc

Source endpoint config

Extra Connection Attributes: PluginName=pgoutput;CaptureDdls=false

The source user has rds_replication but NOT rds_superuser. That's why CaptureDdls=false is required.

Target endpoint config

  • ServiceAccessRoleArn: IAM role with es:* on the domain (root + wildcard)
  • UseNewMappingType: true
  • FullLoadErrorPercentage: 10
  • ErrorRetryDuration: 300

What works

  • Test connection to both source and target: successful
  • Writing to OpenSearch directly (unsigned curl requests from same VPC): works
  • Same setup on staging with a user that HAS rds_superuser (without CaptureDdls=false): works perfectly (267 tables loaded, CDC running)

What fails

Every attempt to start the prod task with CaptureDdls=false results in "Network error" after ~90 seconds, regardless of:

  • MaxFullLoadSubTasks (tested 32, 40, 44, 49)
  • ParallelLoadThreads (tested 8, 32)
  • Subnet group changes
  • OpenSearch access policy (added root resource ARN)
  • IAM role policy (added root resource ARN)

Logs

With LOGGER_SEVERITY_DEFAULT on all components, logs show:

  1. Source ODBC connection: OK
  2. Target OpenSearch endpoint settings loaded: OK
  3. STS Client created with ServicePrincipalCredentialsProviderChain: OK
  4. Tables discovered (428): OK
  5. Immediately after: recoverable error, retry attempt #4-6 → task fails

No HTTP error code or detailed network error visible in CloudWatch logs.

Key observation

Without CaptureDdls=false, using a user with rds_superuser: task works and loads data into OpenSearch. The ONLY change that breaks it is using a non-superuser with CaptureDdls=false.

Questions

  1. Is CaptureDdls=false fully compatible with PluginName=pgoutput on DMS 3.5.4?
  2. Does DMS still attempt DDL-related operations even when CaptureDdls=false is set?
  3. Is there a way to get more detailed error logging for the actual HTTP response from OpenSearch?
  4. Any known issues with DMS 3.5.4 + OpenSearch target + CaptureDdls=false?
Topics
Migration & Modernization
Tags
AWS Database Migration Service
Language
English
asked 24 days ago41 views
2 Answers
2

To me, the generic re:Post Agent’s answer misses the technical root cause. This is a known privilege and architecture conflict in AWS DMS 3.5.4 when transitioning from Table Discovery to the actual initialization phase, specifically under PostgreSQL 15+.

The Root Cause, I assume:

The 90-second timeout and generic Network error (RECOVERABLE_ERROR) is a masked failure.

  1. Table Discovery succeeds because the user has basic metadata read permissions.

  2. Immediately after discovery, when PluginName=pgoutput is used, DMS attempts to automatically create a PostgreSQL publication behind the scenes (CREATE PUBLICATION awsdms_publication FOR ALL TABLES;).

  3. Starting with PostgreSQL 15+ (including your 16.11 version), executing FOR ALL TABLES strictly requires superuser privileges or the pg_create_subscription role.

  4. Because your production user lacks rds_superuser, this internal SQL statement fails silently. The replication stream terminates abruptly, causing DMS to drop the connection socket and misreport it as a generic network error. Setting CaptureDdls=false only prevents the creation of the DDL audit table/triggers—it does not bypass the publication creation requirements of pgoutput.

Try the following:

To fix this without granting rds_superuser in production, you must pre-create the publication manually and instruct DMS to use it instead of generating one.

Step 1: Manually create the Publication (As Admin/Superuser)

Log into your Aurora PostgreSQL instance with a superuser account and create a publication explicitly for your target tables:

CREATE PUBLICATION my_prod_dms_publication FOR TABLE schema.table1, schema.table2, ...;

(Note: Ensure your DMS migration user has SELECT privileges on these tables and is granted membership or ownership access where required by PG16 replication rules).

Step 2: Update Source Endpoint Extra Connection Attributes (ECA)

Modify your PostgreSQL source endpoint configuration to reference the manually created publication. Append the following attributes:

PluginName=pgoutput;CaptureDdls=false;PublicationName=my_prod_dms_publication;ExposeCurrentTransactionsAsRecords=true;

Step 3: (Optional) Expose Detailed Error Logs

If you ever need to see the exact failing SQL or HTTP payloads behind a generic "Network error", switch the component logging to DETAILED_DEBUG in your Task Settings JSON:

"ComponentAppSettings": [
    { "ComponentId": "SOURCE_UNLOAD", "Severity": "LOGGER_SEVERITY_DETAILED_DEBUG" },
    { "ComponentId": "SOURCE_CAPTURE", "Severity": "LOGGER_SEVERITY_DETAILED_DEBUG" },
    { "ComponentId": "TARGET_LOAD", "Severity": "LOGGER_SEVERITY_DETAILED_DEBUG" }
]

Restart or Resume your task after modifying the ECA attributes, and the full-load-and-cdc process to OpenSearch will proceed normally.

EXPERT
answered 24 days ago
0

Based on the troubleshooting information available for AWS DMS, here are some insights into your issue:

Regarding CaptureDDLs Configuration: The CaptureDDLs setting is primarily documented for PostgreSQL target endpoints to prevent capturing DDL statements. While you're using it on a source endpoint, this configuration's interaction with the pgoutput plugin and OpenSearch targets may have undocumented behaviors in DMS 3.5.4.

Troubleshooting Steps to Consider:

  1. Replication Instance Capacity: Verify your dms.r5.4xlarge instance has sufficient capacity for the task. Out-of-memory errors can manifest as network errors. Review CloudWatch metrics for memory utilization, CPU, and network throughput during the failure window.

  2. CloudWatch Log Analysis: Search your CloudWatch logs specifically for error and warning patterns using "]E:" or "]W:" in the search bar. This can reveal more detailed error messages that aren't immediately visible in the task summary.

  3. Component-Level Error Identification: Check which DMS components are logging the errors. If the errors are from SOURCE_UNLOAD or SOURCE_CAPTURE components, the issue likely originates from the PostgreSQL source configuration. If they're from TARGET_LOAD or TARGET_APPLY, focus on the OpenSearch target configuration.

  4. Endpoint Configuration Verification: Confirm that both your PostgreSQL source and OpenSearch target endpoints are correctly configured according to their specific requirements. Engine-specific limitations, unsupported data types, and CDC restrictions can cause task failures that may appear as network errors.

  5. Sequential vs. Concurrent Execution: If there are resource constraints, try running tasks sequentially rather than concurrently to reduce the load on the replication instance.

Regarding Your Specific Questions:

The interaction between CaptureDDLs=false, pgoutput plugin, and OpenSearch targets isn't explicitly documented in the available troubleshooting guidance. The fact that removing this setting (with a superuser) resolves the issue suggests there may be an incompatibility or unexpected behavior when these specific configurations are combined.

Consider opening an AWS Support case with your detailed logs and configuration, as this appears to be a specific edge case that may require deeper investigation into the DMS engine's behavior with this particular combination of settings.
Sources
Troubleshooting migration tasks in AWS Database Migration Service - AWS Database Migration Service
Troubleshoot AWS DMS replication task failures and stuck states | AWS re:Post

answered 24 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content