Reputation: 2629
Grant an IAM user access to one RDS instance
I have made a RDS instance and want to grant one of my user to access to that RDS instance. I'm wondering how I can give this permission.
I have granted RDSFULLACESS in attach policy of my IAM user then simulate it like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:*",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"sns:ListSubscriptions",
"sns:ListTopics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:eu-west-1:accountIDofIAMUser:db:instancename"
}
]
}
But my user still can not access to this RDS instance,what's the problem? he can make it himself but I don't want he makes another one!
Any help would be appreciated.
Upvotes: 2
Views: 13884
Answers (2)
Reputation: 21
Please find below policy for single user single rds start-stop access.
Create below policy and give rds arn in the resource section.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:ListTagsForResource",
"rds:DescribeDBSnapshots",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBParameters",
"rds:DescribeDBParameterGroups",
"rds:StopDBInstance",
"rds:StartDBInstance"
],
"Resource": [
"arn:aws:rds:us-east-1:accountnumber:db:dbidentifier"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBInstances"
],
"Resource": "*"
}
]
}
Attach this policy to user whome you want to grant access.
Upvotes: 2
Reputation: 34297
If the policy above has the correct ARN for the database and is attached to the IAM user then it will allow full management actions on the RDS database, things like stopping the database or restoring a backup.
To explictly exclude the "Create" permissions, based on the list on this page http://docs.aws.amazon.com/IAM/latest/UserGuide/list_rds.html include all the permissions you do need, for example. In this context "Deny" always beats "Allow". "Create" permissions are ok vs. the already existing database but don't apply elsewhere.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:*",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"sns:ListSubscriptions",
"sns:ListTopics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:eu-west-1:accountIDofIAMUser:db:instancename"
},
{
"Effect": "Deny",
"Action": [
"rds:Create*"
],
"NotResource": [
"arn:aws:rds:eu-west-1:accountIDofIAMUser:db:instancename"
]
}
]
}
I haven't tested this policy, it's just an example
If the user needs access to the database as a consumer of data then this is not managed in this way. They need to have two things for this
# network access to the RDS instance via correct networking and correctly setup security groups
# user account credentials for the database
For mysql the process of initially connecting is described here http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToInstance.html
Upvotes: 2
Related Questions
- AWS: How to give an IAM user access to an EC2 instance
- IAM Role for an IAM User within same account for Console Access
- Allow IAM user to access single, access denied
- Grant aws iam role permissions to an iam user in same account
- Using IAM Role to allow access to MySQL database on RDS
- Allowing AWS IAM users create RDS instances
- Adding permission to IAM role
- AWS IAM User Permission for a specific EC2 server not working
- I want to make users have full access only on ONE rds instance
- How can I allow a single user to have access of an ec2 instance in AWs console using IAM