AWS Migration Hub is no longer open to new customers as of November 7, 2025. For capabilities similar to AWS Migration Hub, explore [AWS Transform](https://aws.amazon.com/transform). # Migration Hub Journeys task automation Task automation **Note** The task-automation feature is in preview release. It is available in US East (N. Virginia). This is pre-release documentation. Both the task-automation feature and this documentation are subject to change. A task can have one of two execution types: `Manual` or `Automated`. The default execution type is `Manual`. When you execute an automated task, it runs a Migration Hub automation unit. For information about automation units, see [AWS Migration Hub Automation](https://docs.aws.amazon.com/migrationhub/latest/ug/mha.html). The following topics describe how to create an IAM role that you can use to automate tasks, how to set the execution type of a task to `Automated`, and how to execute an automated task. **Topics** + [ # IAM roles for Migration Hub Journeys task automation ](task-automation-role.md) + [ # Automating a manual Migration Hub Journeys task ](automate-task.md) + [ # Executing an automated Migration Hub Journeys task ](execute-autmated-task.md) # IAM roles for Migration Hub Journeys task automation IAM roles **Note** The task-automation feature is in preview release. It is available in US East (N. Virginia). This is pre-release documentation. Both the task-automation feature and this documentation are subject to change. Automated Migration Hub Journeys tasks require an account connection with an associated IAM role that has the following trust policy and permissions policy. For information about how to create an IAM role with these two policies, see [Create a role using custom trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html). For information about how to associate an IAM role with an account connection, see [Associating IAM roles with an AWS account connection in AWS Migration Hub Journeys](associate-roles.md). ## Trust policy The following trust policy allows Migration Hub Journeys to assume the role. To use this trust policy, replace *account-connection-ARN* with the ARN of a connection whose status is `Connected`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "journeys.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:mgh:us-east-1:111122223333:connection/connection-id" } } }, { "Effect": "Allow", "Principal": { "Service": "journeys.amazonaws.com" }, "Action": "sts:TagSession" } ] } ``` ------ To set a condition based on an AWS account ID instead of on a connection ARN, you can use the following trust policy. However, keep in mind that this policy is more permissive than the policy with a condition based on connection ARN. The reason this trust policy is more permissive is that members of other migration journeys that have connections to the same AWS account can use it to run automation. Therefore, we recommend that you use the previous policy and set the condition based on a specific connection, instead of on an AWS account. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "journeys.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "aws:SourceAccount": "111122223333" } } }, { "Effect": "Allow", "Principal": { "Service": "journeys.amazonaws.com" }, "Action": "sts:TagSession" } ] } ``` ------ **Warning** Migration Hub Journeys no longer supports associating new IAM roles that have the following trust policy. If you already have a connection with an associated role that has the following trust policy, you can continue to use that role to execute automated tasks until January 31, 2025. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "journeys.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:mgh:us-east-1:111122223333:connection/connection-id" } } }, { "Effect": "Allow", "Principal": { "Service": "journeys.amazonaws.com" }, "Action": "sts:TagSession" } ] } ``` ------ ## Permissions policy The following permissions policy grants access to describe and run AWS Migration Hub automation units. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mgn:ListApplications", "mgn:ListWaves", "mgn:ListConnectors", "mgh:ListCreatedArtifacts", "mgh:ListAutomationUnits", "mgh:ListMigrationTaskUpdates", "mgh:DescribeAutomationUnit", "mgh:CreateAutomationRun", "mgh:DescribeAutomationRun", "secretsmanager:ListSecrets" ], "Resource": "*" } ] } ``` ------ # Automating a manual Migration Hub Journeys task Automating a manual task **Note** The task-automation feature is in preview release. It is available in US East (N. Virginia). This is pre-release documentation. Both the task-automation feature and this documentation are subject to change. To automate a task, first ensure that you have the following two prerequisites. ## Prerequisites + Ensure that you have an AWS account connection. For information about account connections and how to create them, see [AWS account connections in AWS Migration Hub Journeys](account-connections.md). + Associate with the account connection an IAM role with the permissions described in [IAM roles for Migration Hub Journeys task automation](task-automation-role.md). ## To automate a task 1. Perform the steps described in [Updating Migration Hub Journeys tasks](updating-tasks.md) 1. In the **Task details** section, choose **Edit**. 1. For **Task type** choose **Automated**. 1. Choose **Browse automation unit**. 1. Select an account connection with which you have associated the IAM role described in [Prerequisites](#automation-prereqs). 1. Select the IAM role described in [Prerequisites](#automation-prereqs). 1. Select the automation unit that you want the task to run when you execute the task. 1. Choose **Select**. 1. Choose **Save changes**. # Executing an automated Migration Hub Journeys task Executing an automated task **Note** The task-automation feature is in preview release. It is available in US East (N. Virginia). This is pre-release documentation. Both the task-automation feature and this documentation are subject to change. This topic explains how to execute an automated task. For information about how to automate a task whose type is `Manual`, see [Automating a manual Migration Hub Journeys task](automate-task.md). **To execute an automated task** 1. Perform the steps described in [Updating Migration Hub Journeys tasks](updating-tasks.md) 1. Choose **Execute task**. 1. (Optional) Enter a name that can help identify this execution. 1. Choose a connection from the list of AWS account connections. For information about how to create a connection, see [AWS account connections in AWS Migration Hub Journeys](account-connections.md). 1. Choose the IAM role that you want to use to execute the task. 1. Choose **Execute task**.