To set up AWS Identity and Access Management (IAM) authentication for RDS Proxy in Amazon RDS, create and configure an IAM policy that grants the necessary permissions. RDS Proxy uses AWS Secrets Manager to manage database credentials securely, which allows applications to authenticate through the proxy without directly handling credentials.
This topic provides the steps to configure IAM authentication for RDS Proxy, including creating the required IAM policy and attaching it to an IAM role.
TipThis procedure is only necessary if you want to create your own IAM role. Otherwise, RDS can automatically create the required role when you set up the proxy, so you can skip these steps.
PrerequisitesBefore you set up IAM authentication for RDS Proxy, make sure that you have the following:
Creating an IAM policy for Secrets Manager accessTo allow RDS Proxy to retrieve database credentials from Secrets Manager, create an IAM role with a policy that grants the necessary permissions.
To create a role to access your secrets for use with your proxySign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
Create a permissions policy for the role. For general steps, see Create IAM policies (console).
Paste this policy into the JSON editor and make the following changes:
Substitute your own account ID.
Substitute us-east-2 with the Region where the proxy will reside.
Substitute the secret names with the ones you created. For more information, see Specifying KMS keys in IAM policy statements.
Substitue the KMS key ID with the one you used to encrypt the Secrets Manager secrets, either the default key or your own key.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"arn:aws:secretsmanager:us-east-2:111122223333:secret:secret_name_1",
"arn:aws:secretsmanager:us-east-2:111122223333:secret:secret_name_2"
]
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-east-2:111122223333:key/key_id",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.us-east-2.amazonaws.com"
}
}
}
]
}
Create the role and attach the permissions policy to it. For general steps, see Create a role to delegate permissions to an AWS service.
For the Trusted entity type, choose AWS service. Under Use case, select RDS and choose RDS - Add Role to Database for the use case.
For Permissions policies, choose the policy that you created.
For Select trusted entities, enter the following trust policy for the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "rds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
To create the role using the AWS CLI, send the following request:
aws iam create-role \
--role-name my_role_name \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["rds.amazonaws.com"]},"Action":"sts:AssumeRole"}]}'Then, attach the policy to the role:
aws iam put-role-policy \
--role-name my_role_name \
--policy-name secret_reader_policy \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"arn:aws:secretsmanager:us-east-2:account_id:secret:secret_name_1",
"arn:aws:secretsmanager:us-east-2:account_id:secret:secret_name_2"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-east-2:account_id:key/key_id",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.us-east-2.amazonaws.com"
}
}
}
]
}'With the IAM role and permissions configured, you can now create a proxy and associate it with this role. This allows the proxy to retrieve database credentials securely from AWS Secrets Manager and enable IAM authentication for your applications. For instructions, see Creating a proxy for Amazon Aurora.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4