fix(aws-rds): correct Policy resource for Proxy::grantConnect() #12416
Conversation
fixes aws#12415 To generate the correct policy, the DatabaseProxy ARN is parsed and the resulting components are used along with a new parameter to grantConnect. The unit test was updated and passes. Caveat lector, I was not able to get a full docker build or a full local build to work on my box. I'm not sure if this should be considered a breaking change. While it technically alters the functionality of a published function, the current behavior provides no utility.
|
|
github-actions
bot
added
the
@aws-cdk/aws-rds
jdvornek
force-pushed
the
fix/dbproxy-grantconnect-policy
branch
from
a7b0843 to
c86fd64
Compare
|
I have one general question. What's the |
|
The |
|
OK. So the |
|
The documentation could be more clear, but that's my understanding and how it has worked practically for me in use. I didn't know if |
|
Thanks! One last question 🙂. Does the |
|
If |
|
Thanks @jdvornek . Now that I have a clearer picture of what this entails, here's my idea. Let's make the
Of course, if Does this make sense? |
|
I had considered making it optional via simply adding a wildcard at the end of the policy if a |
|
Would you mind me pushing a few |
|
No worries, go for it! I just figured I'd tread lightly, but if there's a better fix to be had I'm on board. |
|
@jdvornek I've pushed the code that I'd like to see for this feature. Let me know what you think! |
|
On proxy.ts:347 it looks like you reference On another note I just wanted to confirm that the automatic reference of a single-secret-proxy's username would work with a proxy constructed with an imported secret, since the current implementation relies only on the secret's |
So,
Does this address your concern @jdvornek?
What's the worry here? Why do you think there's a difference in the current version between imported and new Secrets? |
|
Trying to construct a minimal example: const cdk = require('@aws-cdk/core');
const ec2 = require('@aws-cdk/aws-ec2');
const rds = require('@aws-cdk/aws-rds');
const iam = require('@aws-cdk/aws-iam');
class CdkTestStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'VPC');
const cluster = new rds.DatabaseCluster(this, 'Database', {
engine: rds.DatabaseClusterEngine.AURORA,
instanceProps: { vpc },
});
const proxy = new rds.DatabaseProxy(this, 'ThisIsMyProxy', {
proxyTarget: rds.ProxyTarget.fromCluster(cluster),
secrets: [cluster.secret],
vpc,
});
const role = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com')
});
const userArn = cdk.Stack.of(this).formatArn({
service: 'rds-db',
resource: 'dbuser',
resourceName: `${proxy.dbProxyName}/test`,
sep: ':',
});
iam.Grant.addToPrincipal({
grantee: role,
actions: ['rds-db:connect'],
resourceArns: [userArn],
});
}
}
module.exports = { CdkTestStack }
ThisIsMyProxy168A5452:
Type: AWS::RDS::DBProxy
Properties:
Auth:
- AuthScheme: SECRETS
IAMAuth: DISABLED
SecretArn:
Ref: DatabaseSecretAttachmentE5D1B020
DBProxyName: ThisIsMyProxy ##### <----- Proxy name
EngineFamily: MYSQL
RoleArn:
Fn::GetAtt:
- ThisIsMyProxyIAMRole0CCAB74A
- Arn
VpcSubnetIds:
- Ref: VPCPrivateSubnet1Subnet8BCA10E0
- Ref: VPCPrivateSubnet2SubnetCFCDAA7A
RequireTLS: true
Metadata:
aws:cdk:path: CdkTestStack/ThisIsMyProxy/Resourceand RoleDefaultPolicy5FFB7DAB:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: rds-db:connect
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":rds-db:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- ":dbuser:"
- Ref: ThisIsMyProxy168A5452
- /testWhen I had previously tested that, it built an ARN like As for an imported |
|
@jdvornek I'm trying to verify the names issue, but for some reason I can't get a simple Stack with an Proxy to deploy correctly 😕. Here's my code, very similar to yours: const vpc = new ec2.Vpc(this, 'VPC', {
maxAzs: 2,
natGateways: 1,
subnetConfiguration: [
{
name: 'rds',
subnetType: ec2.SubnetType.PUBLIC,
},
],
});
const cluster = new rds.DatabaseCluster(this, 'Database', {
engine: rds.DatabaseClusterEngine.AURORA,
instanceProps: {
vpc,
vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC },
},
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
const proxy = new rds.DatabaseProxy(this, 'ThisIsMyProxy', {
proxyTarget: rds.ProxyTarget.fromCluster(cluster),
secrets: [cluster.secret!],
vpc,
});
const role = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com')
});
const userArn = cdk.Stack.of(this).formatArn({
service: 'rds-db',
resource: 'dbuser',
resourceName: `${proxy.dbProxyName}/test`,
sep: ':',
});
iam.Grant.addToPrincipal({
grantee: role,
actions: ['rds-db:connect'],
resourceArns: [userArn],
});However, Any idea what's wrong...? Is there something missing in the |
|
Yes; from the generated template: "ThisIsMyProxyProxyTargetGroup1311A5BA": {
"Type": "AWS::RDS::DBProxyTargetGroup",
"Properties": {
"DBProxyName": {
"Ref": "ThisIsMyProxy168A5452"
},
"TargetGroupName": "default",
"ConnectionPoolConfigurationInfo": {},
"DBClusterIdentifiers": [
{
"Ref": "DatabaseB269D8BB"
}
]
},
"DependsOn": [
"DatabaseInstance1844F58FD",
"DatabaseInstance2AA380DEE",
"DatabaseB269D8BB",
"DatabaseSecretAttachmentE5D1B020",
"DatabaseSecret3B817195",
"DatabaseSecurityGroup5C91FDCB",
"DatabaseSubnets56F17B9A"
],
"Metadata": {
"aws:cdk:path": "RdsClusterWithProxyStack/ThisIsMyProxy/ProxyTargetGroup"
}
}, |
|
@skinny85 Any further luck here? I'm not sure it has any bearing on the deploy hanging, but I wonder if, for proxies not passed |
|
OK, this worked: const vpc = new ec2.Vpc(this, 'VPC', {
maxAzs: 2,
natGateways: 1,
subnetConfiguration: [
{
name: 'rds',
subnetType: ec2.SubnetType.PUBLIC,
},
],
});
const cluster = new rds.DatabaseCluster(this, 'Database', {
engine: rds.DatabaseClusterEngine.AURORA,
instanceProps: {
vpc,
vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC },
},
instances: 1,
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
const proxySecurityGroup = new ec2.SecurityGroup(this, 'ProxySecurityGroup', {
vpc,
});
const proxy = new rds.DatabaseProxy(this, 'ThisIsMyProxy', {
proxyTarget: rds.ProxyTarget.fromCluster(cluster),
secrets: [cluster.secret!],
vpc,
securityGroups: [proxySecurityGroup],
});
proxy.connections.allowTo(cluster, ec2.Port.allTraffic());
cluster.connections.allowTo(proxy, ec2.Port.allTraffic());
const role = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com')
});
const userArn = cdk.Stack.of(this).formatArn({
service: 'rds-db',
resource: 'dbuser',
resourceName: `${proxy.dbProxyName}/test`,
sep: ':',
});
iam.Grant.addToPrincipal({
grantee: role,
actions: ['rds-db:connect'],
resourceArns: [userArn],
});Definitely looks like we have something missing with the default connection setup between the Proxy and the Cluster. |
|
OK, I can confirm you are in fact correct @jdvornek . There are two identifiers here:
Let me try and figure out the connections problems first, and I'll get back to this PR in a sec. |
|
PR fixing the connectivity Proxy issue: #12953 |
|
@jdvornek I've changed the code to use the Proxy generated identifier. Do you mind taking another look? |
|
@skinny85 looks good to me, thanks. |
…nnect-policy # Conflicts: # packages/@aws-cdk/aws-rds/test/proxy.test.ts
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
…12416) fixes aws#12415 To generate the correct policy, the DatabaseProxy ARN is parsed and the resulting components are used along with a new parameter to grantConnect. The unit test was updated and passes. Caveat lector, I was not able to get a full docker build or a full local build to work on my box. I'm not sure if this should be considered a breaking change. While it technically alters the functionality of a published function, the current behavior provides no utility. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
fixes #12415 To generate the correct policy, the DatabaseProxy ARN is parsed and the resulting components are used along with a new parameter to grantConnect. The unit test was updated and passes. Caveat lector, I was not able to get a full docker build or a full local build to work on my box. I'm not sure if this should be considered a breaking change. While it technically alters the functionality of a published function, the current behavior provides no utility. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
hey all, I'm trying use an RDS proxy with iam auth into my postgres rds instance. I currently have a direct connection set up between my lambdas and rds instance via iam auth using the workaround here. Why is a secret still required when using |
|
@alex9311 I think that secret is for the proxy connecting to the database itself, not clients connecting to the database/proxy directly. |
|
@alex9311 sorry to piggy back off of your comment, but I've found my way here with the same question as you. @skinny85's comment makes some sense to me, but I'm still at a bit of a loss for how to setup iamAuth with RDS Proxy in CDK. My basic goal (just a PoC) at this point is to allow a Lambda function to connect through RDS Proxy to a RDS Postgres DB (Aurora Serverless v2). I'm building out a multi-tenant setup, and I don't want ot have to update the RDS Proxy each time a new user is added, hence me wanting to connect through RDS Proxy with IAM, but with different DB credentials. Any chance you managed to get this sorted? |
The [IAM policy for IAM database access](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html) takes the form of: ``` arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name ``` Following aws-cloudformation/cloudformation-coverage-roadmap#105, this change updates the ARN used in `grantConnect` to this format. Additionally, update the signature of `grantConnect` to take an optional `dbUser`, which is defaulted to the master username of the database, obtained via the available `Secret`. This signature change also matches `grantConnect` in `DatabaseProxy`. See #12416. Closes #11851. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
fixes #12415
To generate the correct policy, the DatabaseProxy ARN is parsed
and the resulting components are used along with a new parameter
to grantConnect.
The unit test was updated and passes. Caveat lector, I was not
able to get a full docker build or a full local build to work on
my box.
I'm not sure if this should be considered a breaking change. While
it technically alters the functionality of a published function,
the current behavior provides no utility.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license