1

Referring to the doc https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.AWSCLI.html, below command can be used to generate auth token for a user and use it to login to the database

aws rds generate-db-auth-token \
   --hostname rdsmysql.123456789012.us-west-2.rds.amazonaws.com \
   --port 3306 \
   --region us-west-2 \
   --username jane_doe

I have a number of RDS IAM DB users like read only, application user, admin user etc.

My question is how do I restrict, lets say AWS developer roles to only be able to generate auth token like above for a read only DB username and not admin usernames. If someone needs to generate auth token for admin users, they need to use a different AWS role to do that. I have a pattern like all read only users will be of format *_ro, all admins will be of format *_admin.

What policy can I use to achieve this? Any examples would really help.

Visa2Learn
  • 13
  • 3

1 Answers1

2

I don't currently have an RDS with IAM Auth enabled, but you can try something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "rds-db:connect",
            "Resource": "arn:aws:rds-db:*:ACCOUNT_ID:dbuser:*/*_ro"
        }
    ]
}

rds-db:connect is the policy that enables the token generation, and you can filter on it directly on the resource path.

Filippo Testini
  • 1,363
  • 1
  • 16
  • Thank you so much @Filippo. Can "${aws:username}_ro" be replaced like"*_ro"? If you can point to some AWS documentation that supports this, that would be very helpful. – Visa2Learn Aug 16 '23 at 16:28
  • Take a look here for more details on the StringLike operator: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html – Filippo Testini Aug 16 '23 at 16:33
  • The key "aws:username" in the StringLike condition seems to be the aws user, not the DB user for which the policy is? – Visa2Learn Aug 16 '23 at 17:55
  • I ran some tests myself, but I couldn't get it to work. Theoretically, the last part of the Resource path is the DB user, and you should be able to filter it with a wildcard, something like arn:aws:rds-db:*:ACCOUNT_ID:dbuser:*/*_ro. However, it doesn't seem to work as expected. :("https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html – Filippo Testini Aug 16 '23 at 18:52
  • Yes looks like it doesn't support partial wildcard pattern. Its either the full db username or * – Visa2Learn Aug 17 '23 at 04:37
  • I confirm that partial wildcard like *_ro works. Thats @Filippo for the pointer. – Visa2Learn Aug 18 '23 at 15:53