Database Users on RDS - IAM Authentication to RDS / MySQL / Postgres - Anuj Varma, Hands-On Technology Architect, Clean Air Activist

Say you have a database user that needs to login to an RDS instance on AWS. The basic idea is to Create an AWS Role that maps to the Database User – and attach that IAM role to the EC2 instance (hosting the RDS). Here are the steps

Enable IAM DB authentication on the RDS DB instance.
Connect to an EC2 instance and install the MySQL server package.
Create a database user account that uses an AWS authentication token.
Add an IAM policy that maps the database user to the IAM role.
Attach the IAM role to the EC2 instance.
Generate an AWS authentication token to identify the IAM role.
Download the SSL root certificate file or certificate bundle file.
Connect to the RDS DB instance using IAM role credentials and the authentication token.

What about AD Federation?

What if you have an AD user that needs to login to the same RDS instance?

This would involve two steps. The first step would be setting up the appropriate role as described above. The second step would be creating a federated login for the AD user.

Okta Based Federation – e.g. AssumeRoleWithSAML

1. Need to define a new role that has action sts:AssumeRoleWithSAML applied to the ARN (Resouce in JSON) that points to the SAML provider.

{ “Version”: “2012-10-17”, “Statement”: { “Effect”: “Allow”, “Action”: “sts:AssumeRoleWithSAML”, “Resource”: “arn: oktaProviderARN” } }

e.g. AssumeRole for cross account access

The following example shows the first two, and most common steps for creating a cross-account role in a simple environment. This example allows any user in the 123456789012 account to assume the role and view the example_bucket Amazon S3 bucket.

{ “Version”: “2012-10-17”, “Statement”: { “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::123456789012:root” }, “Action”: “sts:AssumeRole”, “Condition”: { “Bool”: { “aws:MultiFactorAuthPresent”: “true” } } } }

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written 1210 posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.