Reputation: 117
Allowing AWS IAM users create RDS instances
I want to allow my AWS IAM user to be able to create RDS instances via AWS UI. So added the policy below
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "rds:*",
"Resource": "*"
}
]}
While users can get in to "Specify DB details" page, when all information is provided and "Next" clicked, I get the following error:
Currently retrieving account attributes We are currently in the process of retrieving your account attributes. Please try again in a few minutes.
Please advise.
Upvotes: 2
Views: 2581
Answers (1)
Reputation: 34704
According to the documentation:
For a user to work with the Amazon RDS console, that user must have a minimum set of permissions. These permissions allow the user to describe the Amazon RDS resources for their AWS account and to provide other related information, including Amazon EC2 security and network information.
So you seem to be missing some EC2 and network permissions.
The same document suggests using the predefined policies AmazonRDSReadOnlyAccess or AmazonRDSFullAccess. The latter is defined as:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:*",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"sns:ListSubscriptions",
"sns:ListTopics",
"sns:Publish",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "pi:*",
"Effect": "Allow",
"Resource": "arn:aws:pi:*:*:metrics/rds/*"
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "rds.amazonaws.com"
}
}
}
]
}
Upvotes: 3
Related Questions
- IAM users to restrict creating instances in a region
- AWS IAM Policy to allow user to create IAM Roles (from Management Console & AWS CLI)
- Meta permissions around creating roles in AWS IAM?
- IAM policy with ec2 full access not allowing to create EC2 instances
- Grant an IAM user access to one RDS instance
- What permissions should I grant an IAM so that it may create instances and manage them?
- How to deny other users/roles from creating EC2 instances with an IAM role
- Using EC2 instance profile with IAM authentication in RDS
- Permission to not allow IAM USER instance to create new instance
- Can I create a user in AWS IAM that only has rights to create users and place them in a specific Group?