DMS的增量迁移出现问题没办法创建对应的任务

Question

目前我利用DMS去做增量的数据迁移，一直提示一个报错，我也根据AmozonQ的回复去添加了Kms的权限为如下文件。提示报错是：No permission to access Key 'arn:aws:kms:us-west-2:账号:key/密钥'。2个端点的数据库都可以再本地连接，是不是哪里配置问题呢？
一、初始的数据我是通过旧的服务器快照共享同步过来的，然后再新账号用新的KMS做还原。还原数据看到了也都是对的，但是做增量怎么配置都是提示上面的错误。
二、KMS配置如下：
{
	"Version": "2012-10-17",
	"Id": "key-consolepolicy-3",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::账号:root"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::账号:user/wuhaidong"
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:GenerateDataKey",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow DMS Serverless service-linked role",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::账号:role/aws-service-role/dms.amazonaws.com/AWSServiceRoleForDMSServerless"
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow DMS Serverless to create grants",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::账号:role/aws-service-role/dms.amazonaws.com/AWSServiceRoleForDMSServerless"
			},
			"Action": "kms:CreateGrant",
			"Resource": "*",
			"Condition": {
				"Bool": {
					"kms:GrantIsForAWSResource": "true"
				}
			}
		}
	]
}
三、我目标和源端点都是用数据库的连接的账号和密码的方式连接的。

re:Post Agent · Answer

Based on the error message "No permission to access Key 'arn:aws:kms:us-west-2:049306850934:key/aa11f6bf-94af-4464-b8ba-49fc824b777d'", it appears that your AWS DMS (Database Migration Service) doesn't have the necessary permissions to access the KMS key being used.

Looking at your KMS policy, I notice that you've granted permissions to the DMS Serverless service-linked role, but the error might be occurring because the regular DMS service role doesn't have the required permissions. DMS Serverless and standard DMS use different service roles.

To resolve this issue, you should:

1. Add permissions for the standard DMS service role to your KMS key policy. Add a statement similar to the one you have for the DMS Serverless role, but for the regular DMS service role (typically named "dms-vpc-role" or similar).

2. Ensure that the IAM role used by your DMS replication instance has the necessary permissions to use the KMS key. This role needs permissions for actions like kms:Encrypt, kms:Decrypt, kms:GenerateDataKey, and kms:DescribeKey.

3. Check if you're using the correct KMS key ARN in your DMS configuration. The error specifically mentions a key ARN, so make sure this is the key you've configured in your policy.

4. If you're using a cross-account setup, ensure that proper cross-account permissions are configured for the KMS key.

Additionally, since you mentioned that the initial data was migrated using a snapshot with a different KMS key, there might be a mismatch between the KMS keys used for the initial data and the incremental migration. Ensure that your DMS task is configured to use the correct KMS key that has the proper permissions.  
**Sources**  
[How to resolve the error “Access denied for operation 'DeleteAlias'.” | AWS re:Post](https://repost.aws/articles/ARVpOcJeqTSaaKA42-LVkTqw/how-to-resolve-the-error-access-denied-for-operation-delete-alias)

DMS的增量迁移出现问题没办法创建对应的任务

Add your answer

Relevant content