I have a situation where I need to migrate an on-prem environment to AWS. The tool of choice is AWS MGN (Application Migration). I am following AWS's documentation on loading and using the agent on the source application:
https://docs.aws.amazon.com/mgn/latest/ug/windows-agent.html
The documentation clearly states the need for an access key and secret key. Our environment is set up with a root account with limited users and the team accesses the AWS environment in other accounts (e.g. dev/test/prod/etc.) via SSO. The MGN service also creates four roles:
- AWSApplicationMigrationConversionServerRole
- AWSApplicationMigrationMGHRole
- AWSApplicationMigrationReplicationServerRole
- AWSServiceRoleForApplicationMigrationService
I know you can use 'aws sts assume role' to glean off the keys needed, e.g.:
AWS_SESSION_TOKEN=$(echo "$test_assume_role_json" | jq -r '.Credentials.SessionToken')
export AWS_SESSION_TOKEN
AWS_ACCESS_KEY_ID=$(echo "$test_assume_role_json" | jq -r '.Credentials.AccessKeyId')
export AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY=$(echo "$test_assume_role_json" | jq -r '.Credentials.SecretAccessKey')
These roles are create by AWS and I can't edit them to try and give my SSO user access (I can't 'aws sts assume role' these from the CLI), so assuming these roles directly is not possible. I also cannot create a role that uses AWS-managed policies.
I am not really sure if what I want to do is possible, or if there is a simple solution that I'm just not seeing.
EDIT: I was actually successful in creating a test role with the following policies on the account that I wanted to migrate into:
- AdministratorAccess (AWS managed policy)
- AWSApplicationMigrationAgentPolicy (AWS managed policy)
- AWSApplicationMigrationFullAccess (AWS managed policy)
- AWSApplicationMigrationMGHAccess (AWS managed policy)
- AWSApplicationMigrationReadOnlyAccess (AWS managed policy)
- AWSApplicationMigrationEC2Access (AWS managed policy)
- AWSApplicationMigrationConversionServerPolicy (AWS managed policy)
- AWSApplicationMigrationReplicationServerPolicy (AWS managed policy)
I then ran assume-role to get the access key and secret key :
C:\>aws sts assume-role --role-arn "arn:aws:iam::<REDACTED>:role/ApplicationMigrationTester" --role-session-name test --profile test
{
"Credentials": {
"AccessKeyId": "<REDACTED>",
"SecretAccessKey": "<REDACTED>",
"SessionToken": "<REDACTED>",
"Expiration": "2021-07-15T22:55:08+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "<REDACTED>":test",
"Arn": "arn:aws:sts::<REDACTED>:assumed-role/ApplicationMigrationTester/test"
}
}
I tried to run the agent again as Administrator using those vaules when prompted:
C:\>.\AwsReplicationWindowsInstaller.exe
The installation of the AWS Replication Agent has started.
AWS Region Name: us-east-1
AWS Access Key ID: <REDACTED>
AWS Secret Access Key:
Verifying that the source server has enough free disk space to install the AWS Replication Agent.
(a minimum of 2 GB of free disk space is required)
Identifying volumes for replication.
Choose the disks you want to replicate. Your disks are: c:
To replicate some of the disks, type the path of the disks, separated with a comma (for example, C:,D:). To replicate all disks, press Enter:
Disk to replicate identified: c:0 of size 620 GiB
All volumes for replication were successfully identified.
Downloading the AWS Replication Agent onto the source server...
Failed to validate AWS credentials
Installation failed.
Learn more about installation issues in our documentation at https://docs.aws.amazon.com/mgn/latest/ug/Troubleshooting-Agent-Issues.html#Error-Installation-Failed
Press Enter to close...
As you can see, it errored out. I put in a ticket to AWS to see if my approach is even currently feasible. When they respond, I will update.