How can I troubleshoot Amazon S3 endpoint connection test failures when using AWS DMS?

Last updated: 2022-09-20

I'm using Amazon Simple Storage Service (Amazon S3) as the source or target endpoint for my AWS Database Migration Service (AWS DMS) task. I received an error message because my endpoint connection test failed. How do I troubleshoot and resolve endpoint connectivity failures?

Short description

You must have the right permissions configured for the AWS Identity and Access Management (IAM) role that is using the Amazon S3 endpoint. If you don't have the right permissions, then you see one of the following entries:

Message:

  • Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to connect to S3 endpoint. Access denied.
  • Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to list bucket wan-dms Failed to connect to database., Application-Detailed-Message: failed to list bucket wan-dms AWS failed to list bucket List bucket failed with exception 'AccessDenied', message 'Access Denied', error type '15' AWS failed to list bucket Not retriable error: Access Denied
  • Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to connect to database.
  • Error Details: [message=putDatabase call failed, errType=ERROR_RESPONSE, status=1020414, errMessage= Failed to connect to database., errDetails=]

Resolution

Note: When you use Amazon S3 as a source or target for AWS DMS, be sure to first review the following articles:

To resolve these errors, grant the minimum IAM permissions that are required to access the Amazon S3 endpoint. Amazon S3 source and target endpoints have different minimum permissions for AWS DMS.

See the following IAM policy example for an Amazon S3 source endpoint:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::awsexamplebucket",
        "arn:aws:s3:::awsexamplebucket/*"
      ]
    }
  ]
}

Note: Replace awsexamplebucket with your own bucket name.

See the following IAM policy example for an Amazon S3 as target endpoint:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:PutObjectTagging"
      ],
      "Resource": [
        "arn:aws:s3:::awsexamplebucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::awsexamplebucket"
      ]
    }
  ]
}

Note: Replace awsexamplebucket with your own bucket name.

To troubleshoot permissions errors, follow these steps:

1.    Confirm that the IAM role has the minimum permissions required to access the Amazon S3 endpoint.

2.    Confirm that the bucket name specified for the Amazon S3 endpoint matches the resource allowed in the IAM role. For example, the IAM role allows access to only one bucket, such as awsexamplebucket in the previous example policy. But if awsexamplebucket2 is specified in the Bucket name of the Amazon S3 endpoint, then the test connection fails.

3.    Confirm that dms.amazonaws.com is the trusted entity associated with the IAM role. For more information, see Editing the trust relationship for an existing role and the following example trust policy for AWS DMS:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "dms.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

4.    If you use AWS Organizations, then confirm that the IAM role used is part of an organization that allows access to Amazon S3. If your organization doesn't allow access, then AWS DMS can't connect to the Amazon S3 endpoint using that IAM role—even if the role has all the required permissions. If your organization doesn't allow access, contact your account administrator to allow Amazon S3 access to your organization.

5.    If your replication instance version is 3.4.7 or higher, make sure to take one of the following steps.

        Make your replication instance subnets publicly routable. Add an Internet Gateway (IGW) route to the VPC that's used by your AWS DMS replication instance.

        -or-

        Create VPC endpoints so that your replication instance can access all source and target endpoints that are used by AWS DMS. For more information, see Preparing a migration to AWS DMS versions 3.4.7 and higher.