How can I troubleshoot Amazon S3 endpoint connection test failures when using AWS DMS?

Last updated: 2019-09-26

I'm using Amazon Simple Storage Service (Amazon S3) as the source or target endpoint for my AWS Database Migration Service (AWS DMS) task. I received an error message because my endpoint connection test failed. How do I troubleshoot and resolve endpoint connectivity failures?

Short Description

If you don't have the appropriate permissions configured for the AWS Identity and Access Management (IAM) role that is using the Amazon S3 endpoint, you see one of the following log entries:

Message
Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to connect to S3 endpoint. Access denied.
Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to list bucket wan-dms Failed to connect to database., Application-Detailed-Message: failed to list bucket wan-dms AWS failed to list bucket List bucket failed with exception
        'AccessDenied', message 'Access Denied', error type '15' AWS failed to list bucket Not retriable error: Access Denied
Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to connect to database.
Error Details: [message=putDatabase call failed, errType=ERROR_RESPONSE, status=1020414, errMessage= Failed to connect to database., errDetails=]

Resolution

To resolve these errors, grant the minimum IAM permissions that are required to access the Amazon S3 source endpoint. See the following IAM policy example for an Amazon S3 source endpoint:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
           
    "Action": [
                "s3:GetObject",    
                "s3:ListBucket"        
    ],
    
            "Resource": [
                "arn:aws:s3:::bucket-name",   
                "arn:aws:s3:::bucket-name/*" 
            ]
        }
    ]
}

Note: Replace bucket-name with your own bucket name.

Important: Amazon S3 source and target endpoints have different minimum permissions for AWS DMS. For target endpoint permissions, see Prerequisites for Using Amazon S3 as a Target.

To troubleshoot permissions errors, follow these steps:

1.    Confirm that the IAM role has the minimum permissions required to access the Amazon S3 endpoint.

2.    Confirm that the bucket name specified for the Amazon S3 source endpoint matches the resource allowed in the IAM role. For example, the IAM role allows access to only one bucket, such as bucket-name in the previous example policy. But if another-bucket-name is specified in the Bucket name of the Amazon S3 source endpoint, then the test connection fails.

3.    Confirm that dms.amazonaws.com is the trusted entity associated with the IAM role. For more information, see Editing the Trust Relationship for an Existing Role and the following example trust policy for AWS DMS:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "dms.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

4.    If you use AWS Organizations, confirm that the IAM role used is part of an organization that allows access to Amazon S3. If your organization doesn't allow access, AWS DMS can't connect to the Amazon S3 endpoint using that IAM role—even if the role has all the required permissions. If your organization doesn't allow access, contact your account administrator to allow Amazon S3 access to your organization.