amazon-web-servicesamazon-rdsamazon-iamamazon-rds-proxy

Connect to RDS Proxy from EC2 using IAM role

I want to create a passwordless setup for connecting to RDS proxy from EC2 (e.g. using an IAM role instead of db username & pwd credentials). E.g. code running on EC2 (e.g. php, or java etc..) wouldn't have to explicitly provide a db connection password, just the hostname / proxy end point, as well as possibly the db user name. I've got my secrets manager + RDS + Proxy all working fine when working in password mode;

There are a plethora of tutorials documenting how to use IAM roles to connect directly to RDS without using the proxy; and for connecting to a proxy via Lambda (I need ec2); but I can't seem to find the missing link anywhere. I see there's an option in RDS proxy for "IAM Authentication = Required" which I currently have set. But the IAM db-connect permission doesn't seem to apply to proxies; only RDS databases.

Have Googled for 2 hours, read a dozen articles. Ideally this would be an IAM role that I could attach to my ec2 Instance(s).

Thanks!

Solution

  • OK.. So I've made some headway here:

    This policy needs to be added to an ec2 role, and attached to your ec2 instance.. Essentially it is the same as the Lambda approach, I must have had an error in my resource arn last time I tried this:

    {
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             "arn:aws:rds-db:region:awsaccountnumber:dbuser:{proxyIdentifier from your rds proxy arn}/*"
         ]
      }
   ]
}

    It still doesn't worked the way I'd hoped; e.g. automagically works just by omitting the password from your connection code; e.g. the same way s3 connections work with IAM roles (e.g. you don't need to provide your access key in your code if an IAM role is attached to the server the code is running on).

    But.. Then read this: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.AWSCLI.html

    And can confirm; I can use the IAM token to connect to my RDS proxy. Perhaps not the best design though for many use cases. As you can see here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html

    The tokens only last 15 minutes and aren't recommended for applications that need to make more than 200 connections per second. Also note there is a JDBC driver for AWS that incorporates this functionality; the only php drivers AWS lists are just the standard ones from php.net.

    Would still love to hear if anyone has any better ideas (e.g. automagic ) - otherwise for now I think this might be as far as I can go with this one.