assumed-role/dms-engine-role-v9/DMS_ENGINE_ROLE is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXX:role/dms-access-for-endpoint

Question

assumed-role/dms-engine-role-v9/DMS_ENGINE_ROLE is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXX:role/dms-access-for-endpoint

pacesetterplus opened this issue a year ago · 3 comments

Description

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.

If your request is for a new feature, please use the Feature request template.

[x ] ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
Re-initialize the project root to pull down modules: terraform init
Re-attempt your terraform plan or apply and check if the issue still persists

Versions

Module version [Required]: 2.0.0
Terraform version: 1.5.5

Provider version(s): 5.13.1

Reproduction Code [Required]

Steps to reproduce the behavior:
The module planned and applied with no error. However, when running a replication task the following error occurs:

arn:aws:sts::XXXXXXXXXXXX:assumed-role/dms-engine-role-v9/DMS_ENGINE_ROLE is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXXXX:role/dms-access-for-endpoint

The issue appears to be caused by the conditions added to the dms_assume_role policy document.

    condition {
      test     = "ArnLike"
      variable = "aws:SourceArn"
      values   = ["arn:${local.partition}:dms:${local.region}:${local.account_id}:*"]
    }


    condition {
      test     = "StringEquals"
      variable = "aws:SourceAccount"
      values   = [local.account_id]
    }

Expected behavior

dms-engine-role-v9/DMS_ENGINE_ROLE should be able to assume dms-access-for-endpoint role

Actual behavior

DMS logged the following error:

arn:aws:sts::XXXXXXXXXXXX:assumed-role/dms-engine-role-v9/DMS_ENGINE_ROLE is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXXXX:role/dms-access-for-endpoint

Terminal Output Screenshot(s)

Additional context

The condition mentioned appears to be because of the suggestion from AWS to avoid confused deputy problem.

Answer 1 · 2023-09-01T10:59:54.000Z

The workaround used to resolve this is as follows:

Set create_iam_roles = false
Create the following resources:

data "aws_region" "current" {}
data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}

locals {
  account_id = data.aws_caller_identity.current.account_id
  dns_suffix = data.aws_partition.current.dns_suffix
  partition  = data.aws_partition.current.partition
  region     = data.aws_region.current.name
}


data "aws_iam_policy_document" "dms_assume_role" {
  statement {
    actions = [
      "sts:AssumeRole",
      "sts:TagSession",
    ]

    principals {
      identifiers = ["dms.${local.dns_suffix}"]
      type        = "Service"
    }
  }
}

data "aws_iam_policy_document" "dms_assume_role_redshift" {
  source_policy_documents = [data.aws_iam_policy_document.dms_assume_role.json]

  statement {
    actions = [
      "sts:AssumeRole",
      "sts:TagSession",
    ]

    principals {
      identifiers = ["redshift.${local.dns_suffix}"]
      type        = "Service"
    }
  }
}

# DMS Endpoint
resource "aws_iam_role" "dms_access_for_endpoint" {
  name                  = "dms-access-for-endpoint"
  description           = "DMS IAM role for endpoint access permissions"
  assume_role_policy    = data.aws_iam_policy_document.dms_assume_role_redshift.json
  managed_policy_arns   = ["arn:${local.partition}:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role"]
  force_detach_policies = true
}

# DMS CloudWatch Logs
resource "aws_iam_role" "dms_cloudwatch_logs_role" {
  name                  = "dms-cloudwatch-logs-role"
  description           = "DMS IAM role for CloudWatch logs permissions"
  assume_role_policy    = data.aws_iam_policy_document.dms_assume_role.json
  managed_policy_arns   = ["arn:${local.partition}:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole"]
  force_detach_policies = true
}

# DMS VPC
resource "aws_iam_role" "dms_vpc_role" {
  name                  = "dms-vpc-role"
  description           = "DMS IAM role for VPC permissions"
  assume_role_policy    = data.aws_iam_policy_document.dms_assume_role.json
  managed_policy_arns   = ["arn:${local.partition}:iam::aws:policy/service-role/AmazonDMSVPCManagementRole"]
  force_detach_policies = true
}

Answer 2 · 2023-09-01T11:57:08.000Z

This issue does not affect DMS engine version >= 3.4.7 .

Answer 3 · 2023-10-02T02:00:43.000Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.