【以下的问题经过翻译处理】 有许多DMS端点可以使用Secrets Manager Secret访问RDS实例。
有一个配置与所有其他端点相同的终端点,但是当发出test-connection命令时,结果是错误。
Test Endpoint failed: Application-Status: 1020912, Application-Message: Cannot connect to SQL Server Unable to find Secrets Manager secret, Application-Detailed-Message: Failed to retrieve secret. Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:us-east-1:XXXXXXXXX:secret:XXX-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj-vFN1l7'
另一个使用相同终端点的任务失败,错误略有不同。
Test Endpoint failed: Application-Status: 1020912, Application-Message: Cannot connect to SQL Server Unable to find Secrets Manager secret, Application-Detailed-Message: Failed to retrieve secret. Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:us-east-1:XXXX:secret:XXX-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj-vFN1l7' The secrets_manager get secret value failed: curlCode: 7, Couldn't connect to server Too many retries: curlCode: 7, Couldn't connect to server
dms list-secrets
返回使用失败的Endpoint中使用的secret arn。
{
"ARN": "arn:aws:secretsmanager:us-east-1:XXXX:secret:XXX-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj-vFN1l7",
"Name": "XXX-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj",
...
}
get-secret-value 命令返回arn的值。dms get-secret-value --secret-id XXX-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj
{
"ARN": "arn:aws:secretsmanager:us-east-1:986204609104:secret:crem-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj-vFN1l7",
"Name": "crem-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj",
"VersionId": "52C346EC-13B1-46A8-946E-665C3B1559CF",
...
}
我认为这不是网络配置问题,因为如果网络配置有问题我会看到超时错误,而其他端点能够检索secret。
这是用于使用的策略。
{
"Statement": [
{
"Action": "secretsmanager:GetSecretValue",
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:xxxx:secret:xxx-tsm-rpt-blu-use1-rds-master-secret-Jkf6ugXj-vFN1l7"
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:us-east-1:xxxx:key/xxxx"
}
],
"Version": "2012-10-17"
}
有一个带有上述策略附件的iam角色,带有一个assume role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "dms.us-east-1.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
以上IAM角色已附加到DMS端点。
针对VPC已有一个配置完成的vpc端点com.amazonaws.us-east-1.secretsmanager.。
其他配置相同的端点可以在不出错的情况下访问RDS实例。