I am trying to configure ip access restrictions to my public aurora serverless v2 cluster with IAM authentication (postgres).
After applying the policy below, I cannot connect to the cluster with the generated token.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds-db:connect"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"123.241.200.168/32"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:rds-db:eu-central-1:7777777836:dbuser:cluster-QQQIDWE6WQ/client01"
]
}
]
}
After switching the condition to "IpAddressIfExists" it allows me to connect from any address so I assume that there is no address available on connect. Is it possible to configure ip restrictions on the account level?
2
Answers
So it looks like the only way to achieve what I want is to:
rds-db:connectpermissions on postgres usersts:AssumeRolelimited to IP addressAccess to database is not limited to IP so if someone retrieve token from user then will be able to connect, but tokens are valid for 15 minutes by default so it fulfils my requiments.
Thank you @rowanu for answer it helped me a lot.
Unfortunately that action doesn’t support any conditions (as listed on permissios.cloud), so you can’t limit that API to IPs (and if the user is an administration, you can’t limit it at all, as mentioned in the docs).