Question 95401 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Automate AWS RDS User Management – Amazon web services

Most of you would have encountered the problem of creating db users for developers across multiple database (using common user is not allowed). We have around 90 DB’s on AWS and 200-250 dev’s. Everyday someone needs access to a database and this is manual and repetitive task.

I am looking for a solution to automate end-to-end lifecycle of user management, scripting or creating a terraform module are solutions which I already have in my mind, but how does other organization manage DB users at scale ?

I did look at AWS IAM authentication but I am not sure how can we grant fine grain access using IAM roles.

Cheers,
Fun Learn

Tags:

2

Answers


  1. 0

    The way I’ve done this is (high level);

    • Create your RDS Terraform Config / Module(s)
    • Create a sql file with the user & grant creations needed
    • Create a wrapper script that deploys terraform then connects to it to deploy your SQL file with user creation
    • Your wrapper script will need to use Terraform Outputs to get your newly created RDS Endpoint to connect to | Say you created an output called rds_endpoint in your terraform plan / config… This is how you grab it in bash terraform output rds_endpoint
    • Assuming your new RDS DB is not publicly accessible, your wrapper script will need to tunnel in through a bastion or some other instance that is publicly accessible with access to the DB. Example: ssh -oStrictHostKeyChecking=no -p 22 -i ~/.ssh/bastion-host-key.pem -C -N ec2-user@$bastion_ip -L 3306:$rds_endpoint:3306 &
    • Your wrapper script will need to use the RDS user & password you created with terraform as well to run the SQL File
    Login or Signup to reply.
  2. 0

    In fact IAM authentication could be the key to do that.

    What you can do is in fact create all you databases with terraform.
    do not forget to enable iam authentication via your terraform module.

    Once all you databases are created via teraform, you have to create local role(s) in all of theses databases (either via terraform using SQL script or still via terraform using modules that allow you to create user/roles, for postgresql you can use this module ) and you have to grant them the pre-created, existing, database role for iam (for example with postgresql its named "rds_iam")

    The thing that is interresting with iam authentication is that all of your developper can connect using their account to aws and request a token that will be used as a password (the username will be the role you created before) and by doing this you create only one role, but each authentication is made by each developpers account.

    If your company really needs you to create roles for each devs (even if the roles are exactly the same, It makes no sense since by definition, we ASSUME a role, so anyone can assume ONE role, this is not awful) you can then create a local database users (instead of a role) for all of your developpers in all of your database by using an SQL script that your terraform will execute.

    Of course do not forget to grant the rds_iam existing role to either the unique role that will be used by all the developpers (in case you choose this solution) or to all the db users you created before.

    You will have to manage IAM policy for all of theses users to be accurate regarding to the security (or use * in the policy to let all your developpers connect to all you db users lol)

    and then your developpers will be able to use aws rds command to generate an auth token and connect to their local db user that will have to correct rights.

    There is a hole bunch of informations and precisions here:
    https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam

    have a nice journey on aws

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search