Database Users on RDS – IAM Authentication to RDS / MySQL / Postgres
Say you have a database user that needs to login to an RDS instance on AWS. The basic idea is to Create an AWS Role that maps to the Database User – and attach that IAM role to the EC2 instance (hosting the RDS). Here are the steps
- Enable IAM DB authentication on the RDS DB instance.
- Connect to an EC2 instance and install the MySQL server package.
- Create a database user account that uses an AWS authentication token.
- Add an IAM policy that maps the database user to the IAM role.
- Attach the IAM role to the EC2 instance.
- Generate an AWS authentication token to identify the IAM role.
- Download the SSL root certificate file or certificate bundle file.
- Connect to the RDS DB instance using IAM role credentials and the authentication token.
What about AD Federation?
What if you have an AD user that needs to login to the same RDS instance?
This would involve two steps. The first step would be setting up the appropriate role as described above. The second step would be creating a federated login for the AD user.
Okta Based Federation – e.g. AssumeRoleWithSAML
1. Need to define a new role that has action sts:AssumeRoleWithSAML applied to the ARN (Resouce in JSON) that points to the SAML provider.
{ “Version”: “2012-10-17”, “Statement”: { “Effect”: “Allow”, “Action”: “sts:AssumeRoleWithSAML”, “Resource”: “arn: oktaProviderARN” } }
e.g. AssumeRole for cross account access
The following example shows the first two, and most common steps for creating a cross-account role in a simple environment. This example allows any user in the 123456789012
account to assume the role and view the example_bucket
Amazon S3 bucket.
{ “Version”: “2012-10-17”, “Statement”: { “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::123456789012:root” }, “Action”: “sts:AssumeRole”, “Condition”: { “Bool”: { “aws:MultiFactorAuthPresent”: “true” } } } }
Leave a Reply