Prerequisites for working with DMS Schema Conversion - AWS Database Migration Service
Create a VPCCreate an S3 bucketStore credentials in Secrets ManagerCreate IAM roles

Prerequisites for working with DMS Schema Conversion

To set up DMS Schema Conversion, complete the following tasks. Then you can set up an instance profile, add data providers, and create a migration project.

Create a VPC based on Amazon VPC

In this step, you create a virtual private cloud (VPC) in your AWS account. This VPC is based on the Amazon Virtual Private Cloud (Amazon VPC) service and contains your AWS resources.

To create a VPC for DMS Schema Conversion

  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Choose Create VPC.

  3. On the Create VPC page, enter the following settings:

    • Resources to createVPC and more

    • Name tag auto-generation – Choose Auto-generate and enter a globally unique name. For example, enter sc-vpc.

    • IPv4 CIDR block10.0.1.0/24

    • NAT gatewaysIn 1 AZ

    • VPC endpointsNone

  4. Keep the rest of the settings as they are, and then choose Create VPC.

  5. Choose Subnets, and take a note of your public and private subnet IDs.

    To connect to your Amazon RDS databases, create a subnet group that includes public subnets.

    To connect to your on-premises databases, create a subnet group that includes private subnets. For more information, see Step 1: Create an instance profile.

  6. Choose NAT gateways. Choose your NAT gateway and take a note of your Elastic IP address.

    Configure your network to make sure that AWS DMS can access your source on-premises database from this NAT gateway's public IP address. For more information, see Using an internet connection to a VPC.

Use this VPC when you create your instance profile and target databases on Amazon RDS.

Create an Amazon S3 bucket

To store information from your migration project, create an Amazon S3 bucket. DMS Schema Conversion uses this Amazon S3 bucket to save items such as assessment reports, converted SQL code, information about database schema objects, and so on.

To create an Amazon S3 bucket for DMS Schema Conversion

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Choose Create bucket.

  3. On the Create bucket page, select a globally unique name for your S3 bucket. For example, enter sc-s3-bucket.

  4. For AWS Region, choose your Region.

  5. For Bucket Versioning, choose Enable.

  6. Keep the rest of the settings as they are, and then choose Create bucket.

Store database credentials in AWS Secrets Manager

Store your source and target database credentials in AWS Secrets Manager. Make sure that you replicate these secrets to your AWS Region. DMS Schema Conversion uses these secrets to connect to your databases in the migration project.

To store your database credentials in AWS Secrets Manager

  1. Sign in to the AWS Management Console and open the AWS Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  2. Choose Store a new secret.

  3. The Choose secret type page opens. For Secret type, choose the type of database credentials to store:

    • Credentials for Amazon RDS database – Choose this option to store credentials for your Amazon RDS database. For Credentials, enter the credentials for your database. For Database, choose your database.

    • Credentials for other database – Choose this option to store credentials for your source Oracle or SQL Server databases. For Credentials, enter the credentials for your database.

    • Other type of secret – Choose this option to store only the user name and password to connect to your database. Choose Add row to add two key-value pairs. Make sure that you use username and password for key names. For values related to these keys, enter the credentials for your database.

  4. For Encryption key, choose the AWS KMS key that Secrets Manager uses to encrypt the secret value. Choose Next.

  5. On the Configure secret page, enter a descriptive Secret name. For example, enter sc-source-secret or sc-target-secret.

  6. Choose Replicate secret and then for AWS Region choose your Region. Choose Next.

  7. On the Configure rotation page, choose Next.

  8. On the Review page, review your secret details, and then choose Store.

To store credentials for your source and target databases, repeat these steps.

Create IAM roles

Create AWS Identity and Access Management (IAM) roles to use in your migration project. DMS Schema Conversion uses these IAM roles to access your Amazon S3 bucket and database credentials stored in AWS Secrets Manager.

To create an IAM role that provides access to your Amazon S3 bucket

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles.

  3. Choose Create role.

  4. On the Select trusted entity page, choose AWS service. Choose DMS.

  5. Choose Next. The Add permissions page opens.

  6. For Filter policies, enter S3. Choose AmazonS3FullAccess.

  7. Choose Next. The Name, review, and create page opens.

  8. For Role name, enter a descriptive name. For example, enter sc-s3-role. Choose Create role.

  9. On the Roles page, enter sc-s3-role for Role name. Choose sc-s3-role.

  10. On the sc-s3-role page, choose the Trust relationships tab. Choose Edit trust policy.

  11. On the Edit trust policy page, edit the trust relationships for the role to use the schema-conversion.dms.amazonaws.com service principal as the trusted entity.

  12. Choose Update trust policy.

To create an IAM role that provides access to AWS Secrets Manager

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles.

  3. Choose Create role.

  4. On the Select trusted entity page, choose AWS service. Choose DMS.

  5. Choose Next. The Add permissions page opens.

  6. For Filter policies, enter Secret. Choose SecretsManagerReadWrite.

  7. Choose Next. The Name, review, and create page opens.

  8. For Role name, enter a descriptive name. For example, enter sc-secrets-manager-role. Choose Create role.

  9. On the Roles page, enter sc-secrets-manager-role for Role name. Choose sc-secrets-manager-role.

  10. On the sc-secrets-manager-role page, choose the Trust relationships tab. Choose Edit trust policy.

  11. On the Edit trust policy page, edit the trust relationships for the role to use schema-conversion.dms.amazonaws.com and your AWS DMS regional service principal as the trusted entities. This AWS DMS regional service principal has the following format.

    dms.region-name.amazonaws.com

    Replace region-name the name of your Region, such as us-east-1.

    The following code example shows the principal for the us-east-1 Region.

    dms.us-east-1.amazonaws.com

    The following code example shows a trust policy for accessing AWS DMS schema conversion.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "dms.us-east-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "schema-conversion.dms.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

  12. Choose Update trust policy.