Reputation: 429
Can IAM be used to authenticate between RDS Proxy and RDS Instance?
I might be missing something obvious, but after going over the documentation, there doesn't seem to be anything that answers my question.
I'm trying to move my existing infrastructure, which consists of a VPC with lambda functions connecting directly to RDS using password authentication.
The password is stored in SecretsManager and I've set up all the roles and permissions necessary to provision this, together with the internet gateway needed to access SecretsManager from Lambdas in the VPC. I have two problems with this approach.
The connection pool of the RDS instance fills up quickly under load and future connections are rejected. This is to be expected and for that reason I've decided to add the RDS Proxy between the Lambdas and the RDS instance.
I have to fetch the credentials from the SecretsManager every time my Lambda runs, which is costly because my Lambdas run within a VPC and I need an Internet Gateway to connect to the SecretsManager.
To solve these problems, I'm trying to set up a proxy that uses IAM authentication both between the Lambda and the RDS Proxy, and between the RDS Proxy and RDS Instance. As I understand it from the current documentation, IAM between the Lambda and RDS Proxy should be a fairly common use case that's easy enough to set up. I don't however know whether it's possible to set up an IAM-authenticated connection between the RDS Proxy and RDS Instance.
Furthermore, I'm struggling with configuring the CloudFormation template for this setup (maybe because it's impossible?) when it comes to defining the AuthScheme for the AWS::RDS::DBProxy. It requires "SECRETS" to always be the AuthScheme, even when using IAM. Does that mean I need to store the actual username and password credentials for the database and use those when authenticating with the RDS from RDS Proxy?
UPDATE 2024-09-25 12:06
It seems that the only relevant entry describing the authentication between the RDS Proxy and RDS Instance is here:
The connection from RDS Proxy to the underlying database doesn't go through IAM.
Here is an excerpt from my current template:
Database:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: ${self:service}-database-${self:provider.stage} # This is pulled from the other parts of the config and work correctly.
Engine: postgres
DBName: postgres
DBParameterGroupName: ${self:service}-database-${self:provider.stage}-parameter-group # This is pulled from the other parts of the config and work correctly.
AllocatedStorage: 20
EngineVersion: 16.3
DBInstanceClass: db.t3.micro
MasterUsername: ${self:custom.config.database.user} # This is pulled from the other parts of the config and work correctly.
MasterUserPassword:
Fn::Join:
- ''
- - '{{resolve:secretsmanager:'
- Ref: DatabaseSecret
- ':SecretString:password}}' # This is pulled from the other parts of the config and work correctly.
DBSubnetGroupName:
Ref: DbSubnetGroup
VPCSecurityGroups:
- Ref: DbSecurityGroup
EnableIAMDatabaseAuthentication: true
DeletionPolicy: ${self:custom.config.cloudformation.databaseDeletionPolicy} # This is pulled from the other parts of the config and work correctly.
DatabaseProxyRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- rds.amazonaws.com
Action: sts:AssumeRole
Path: /
Policies:
- PolicyName: AllowDatabaseSecretAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:DescribeSecret
- secretsmanager:GetSecretValue
Resource:
Ref: DatabaseSecret
- PolicyName: AllowRDSConnectionViaIAM
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- rds-db:connect
Resource:
Fn::Join:
- ':'
- - arn:aws:rds-db
- Ref: AWS::Region
- Ref: AWS::AccountId
- dbuser
- Fn::Join:
- '/'
- - Fn::GetAtt:
- Database
- DbiResourceId
- ${self:custom.config.database.proxyUser} # This is pulled from the other parts of the config and work correctly.
DatabaseProxy:
Type: AWS::RDS::DBProxy
Properties:
DBProxyName: my-db-proxy
Auth: # \
- AuthScheme: SECRETS # |
IAMAuth: REQUIRED # | - This is questionable
SecretArn: # |
Ref: DatabaseSecret # /
EngineFamily: POSTGRESQL
IdleClientTimeout: 1800
RequireTLS: true
RoleArn:
Fn::GetAtt:
- DatabaseProxyRole
- Arn
VpcSecurityGroupIds:
- ${cf:${self:custom.config.stackName.prerequisites}.GeneralSecurityGroupId} # This is pulled from a different CloudFormation stack and work correctly.
VpcSubnetIds:
- ${cf:${self:custom.config.stackName.prerequisites}.PrivateSubnet1} # This is pulled from a different CloudFormation stack and work correctly.
- ${cf:${self:custom.config.stackName.prerequisites}.PrivateSubnet2} # This is pulled from a different CloudFormation stack and work correctly.
- ${cf:${self:custom.config.stackName.prerequisites}.PrivateSubnet3} # This is pulled from a different CloudFormation stack and work correctly.
DatabaseProxyTargetGroup:
Type: AWS::RDS::DBProxyTargetGroup
Properties:
DBProxyName:
Ref: DatabaseProxy
DBInstanceIdentifiers:
- Ref: Database
TargetGroupName: default
DatabaseSecretAttachment:
Type: AWS::SecretsManager::SecretTargetAttachment
Properties:
SecretId:
Ref: DatabaseSecret
TargetId:
Ref: Database
TargetType: AWS::RDS::DBInstance
Upvotes: 0
Views: 164
Answers (0)
Related Questions
- RDS Proxy IAM Authentication from Python Lambda
- Is there a way to run initial SQL when creating an RDS database instance using CloudFormation?
- AWS Lambda Function Timeout on Connecting To RDS Database through RDS Proxy
- Connect to RDS Proxy from EC2 using IAM role
- RDS Proxy IAM role unable to retrieve credentials from secret
- How can I add database proxy in lambda via cloudformation?
- Golang AWS SDK and RDS Proxy IAM Auth
- can AWS Lambda connect to RDS mySQL database and update the database?