dms-access-for-endpoint Assume Role Incomplete

[wyrembelski]

When using the module to create the necessary roles. The assume role policy for dms-access-for-endpoint doesn't contain anything for the destination database ie. Redshift. Here is the created policy. { "Version": "2012-10-17", "Statement": [ { "Sid": "1", "Effect": "Allow", "Principal": { "Service": "dms.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

And here is the recommended policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "1", "Effect": "Allow", "Principal": { "Service": "dms.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Sid": "2", "Effect": "Allow", "Principal": { "Service": "redshift.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

When this is not in place we get errors like the below because the role is not authorized to access redshift. ERROR: Not authorized to get credentials of role arn:aws:iam::236034010305:role/dms-access-for-endpoint DETAIL: ----------------------------------------------- error: Not authorized to get credentials of role arn:aws:iam::236034010305:role/dms-access-for-endpoint code: 30000 context: query: 1350112 location: xen_aws_credentials_mgr.cpp:392 process: padbmaster [pid=14265] ------ [1022502] (ar_odbc_stmt.c:4815)

Do you have any suggestions for how to make sure this second redshift policy can get created and applied for the trust relationship?

[bryantbiggs]

this should be fixed in https://github.com/clowdhaus/terraform-aws-dms/releases/tag/v1.0.3 now - let me know if not

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.