您可以在没有明确创建的访问密钥和秘密密钥的情况下使用 AWS MGN(应用程序迁移)吗?
Can you use AWS MGN (Application Migration) without an explicitly created access key and secret key?
我有一种情况需要将本地环境迁移到 AWS。选择的工具是 AWS MGN(应用程序迁移)。我正在关注 AWS 关于在源应用程序上加载和使用代理的文档:
https://docs.aws.amazon.com/mgn/latest/ug/windows-agent.html
文档明确说明需要访问密钥和秘密密钥。我们的环境设置了一个具有有限用户的根帐户,团队通过 SSO 访问其他帐户(例如 dev/test/prod/etc)中的 AWS 环境。 MGN 服务还创建了四个角色:
- AWSApplicationMigrationConversionServerRole
- AWSApplicationMigrationMGHRole
- AWSApplicationMigrationReplicationServerRole
- AWSServiceRoleForApplicationMigrationService
我知道您可以使用 'aws sts assume role' 来收集所需的密钥,例如:
AWS_SESSION_TOKEN=$(echo "$test_assume_role_json" | jq -r '.Credentials.SessionToken')
export AWS_SESSION_TOKEN
AWS_ACCESS_KEY_ID=$(echo "$test_assume_role_json" | jq -r '.Credentials.AccessKeyId')
export AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY=$(echo "$test_assume_role_json" | jq -r '.Credentials.SecretAccessKey')
这些角色是由 AWS 创建的,我无法编辑它们来尝试授予我的 SSO 用户访问权限(我不能 'aws sts assume role' 这些来自 CLI),因此无法直接假设这些角色.我也无法创建使用 AWS 托管策略的角色。
我不太确定我想做的事情是否可行,或者是否有一个我只是没有看到的简单解决方案。
编辑:我实际上成功地在我想迁移到的帐户上创建了一个具有以下策略的测试角色:
- AdministratorAccess(AWS 托管策略)
- AWSApplicationMigrationAgentPolicy(AWS 托管策略)
- AWSApplicationMigrationFullAccess(AWS 托管策略)
- AWSApplicationMigrationMGHAccess(AWS 托管策略)
- AWSApplicationMigrationReadOnlyAccess(AWS 托管策略)
- AWSApplicationMigrationEC2Access(AWS 托管策略)
- AWSApplicationMigrationConversionServerPolicy(AWS 托管策略)
- AWSApplicationMigrationReplicationServerPolicy(AWS 托管策略)
然后我 运行 承担角色以获取访问密钥和秘密密钥:
C:\>aws sts assume-role --role-arn "arn:aws:iam::<REDACTED>:role/ApplicationMigrationTester" --role-session-name test --profile test
{
"Credentials": {
"AccessKeyId": "<REDACTED>",
"SecretAccessKey": "<REDACTED>",
"SessionToken": "<REDACTED>",
"Expiration": "2021-07-15T22:55:08+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "<REDACTED>":test",
"Arn": "arn:aws:sts::<REDACTED>:assumed-role/ApplicationMigrationTester/test"
}
}
我尝试以管理员身份再次 运行 代理,在出现提示时使用这些值:
C:\>.\AwsReplicationWindowsInstaller.exe
The installation of the AWS Replication Agent has started.
AWS Region Name: us-east-1
AWS Access Key ID: <REDACTED>
AWS Secret Access Key:
Verifying that the source server has enough free disk space to install the AWS Replication Agent.
(a minimum of 2 GB of free disk space is required)
Identifying volumes for replication.
Choose the disks you want to replicate. Your disks are: c:
To replicate some of the disks, type the path of the disks, separated with a comma (for example, C:,D:). To replicate all disks, press Enter:
Disk to replicate identified: c:0 of size 620 GiB
All volumes for replication were successfully identified.
Downloading the AWS Replication Agent onto the source server...
Failed to validate AWS credentials
Installation failed.
Learn more about installation issues in our documentation at https://docs.aws.amazon.com/mgn/latest/ug/Troubleshooting-Agent-Issues.html#Error-Installation-Failed
Press Enter to close...
如您所见,它出错了。我向 AWS 投了一张票,看看我的方法目前是否可行。当他们回复时,我会更新。
您只需从命令行(powerShell 或 CMD)提供凭据
C:\Downloads>.\AwsReplicationWindowsInstaller.exe --region us-east-1 --aws-access-key-id AKIA4HN2LIGPIERPMPXT --aws-secret-access-key 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
我有一种情况需要将本地环境迁移到 AWS。选择的工具是 AWS MGN(应用程序迁移)。我正在关注 AWS 关于在源应用程序上加载和使用代理的文档:
https://docs.aws.amazon.com/mgn/latest/ug/windows-agent.html
文档明确说明需要访问密钥和秘密密钥。我们的环境设置了一个具有有限用户的根帐户,团队通过 SSO 访问其他帐户(例如 dev/test/prod/etc)中的 AWS 环境。 MGN 服务还创建了四个角色:
- AWSApplicationMigrationConversionServerRole
- AWSApplicationMigrationMGHRole
- AWSApplicationMigrationReplicationServerRole
- AWSServiceRoleForApplicationMigrationService
我知道您可以使用 'aws sts assume role' 来收集所需的密钥,例如:
AWS_SESSION_TOKEN=$(echo "$test_assume_role_json" | jq -r '.Credentials.SessionToken')
export AWS_SESSION_TOKEN
AWS_ACCESS_KEY_ID=$(echo "$test_assume_role_json" | jq -r '.Credentials.AccessKeyId')
export AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY=$(echo "$test_assume_role_json" | jq -r '.Credentials.SecretAccessKey')
这些角色是由 AWS 创建的,我无法编辑它们来尝试授予我的 SSO 用户访问权限(我不能 'aws sts assume role' 这些来自 CLI),因此无法直接假设这些角色.我也无法创建使用 AWS 托管策略的角色。
我不太确定我想做的事情是否可行,或者是否有一个我只是没有看到的简单解决方案。
编辑:我实际上成功地在我想迁移到的帐户上创建了一个具有以下策略的测试角色:
- AdministratorAccess(AWS 托管策略)
- AWSApplicationMigrationAgentPolicy(AWS 托管策略)
- AWSApplicationMigrationFullAccess(AWS 托管策略)
- AWSApplicationMigrationMGHAccess(AWS 托管策略)
- AWSApplicationMigrationReadOnlyAccess(AWS 托管策略)
- AWSApplicationMigrationEC2Access(AWS 托管策略)
- AWSApplicationMigrationConversionServerPolicy(AWS 托管策略)
- AWSApplicationMigrationReplicationServerPolicy(AWS 托管策略)
然后我 运行 承担角色以获取访问密钥和秘密密钥:
C:\>aws sts assume-role --role-arn "arn:aws:iam::<REDACTED>:role/ApplicationMigrationTester" --role-session-name test --profile test
{
"Credentials": {
"AccessKeyId": "<REDACTED>",
"SecretAccessKey": "<REDACTED>",
"SessionToken": "<REDACTED>",
"Expiration": "2021-07-15T22:55:08+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "<REDACTED>":test",
"Arn": "arn:aws:sts::<REDACTED>:assumed-role/ApplicationMigrationTester/test"
}
}
我尝试以管理员身份再次 运行 代理,在出现提示时使用这些值:
C:\>.\AwsReplicationWindowsInstaller.exe
The installation of the AWS Replication Agent has started.
AWS Region Name: us-east-1
AWS Access Key ID: <REDACTED>
AWS Secret Access Key:
Verifying that the source server has enough free disk space to install the AWS Replication Agent.
(a minimum of 2 GB of free disk space is required)
Identifying volumes for replication.
Choose the disks you want to replicate. Your disks are: c:
To replicate some of the disks, type the path of the disks, separated with a comma (for example, C:,D:). To replicate all disks, press Enter:
Disk to replicate identified: c:0 of size 620 GiB
All volumes for replication were successfully identified.
Downloading the AWS Replication Agent onto the source server...
Failed to validate AWS credentials
Installation failed.
Learn more about installation issues in our documentation at https://docs.aws.amazon.com/mgn/latest/ug/Troubleshooting-Agent-Issues.html#Error-Installation-Failed
Press Enter to close...
如您所见,它出错了。我向 AWS 投了一张票,看看我的方法目前是否可行。当他们回复时,我会更新。
您只需从命令行(powerShell 或 CMD)提供凭据
C:\Downloads>.\AwsReplicationWindowsInstaller.exe --region us-east-1 --aws-access-key-id AKIA4HN2LIGPIERPMPXT --aws-secret-access-key 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