AWS RDS MySQL

MySQL is a reliable, stable, and secure open-source relational database system serving as a primary data store for various applications, websites, and products, including mission-critical applications and dynamic websites. AWS enables developers to create cloud-hosted MySQL databases.

Through this integration, Apono helps you securely manage access to your AWS RDS for MySQL instances.

Prerequisites

Before starting this integration, create the items listed in the following table.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "rds-db:connect",
            "Resource": "arn:aws:rds-db:*:*:dbuser:*/apono_connector",
            "Effect": "Allow"
        }
    ]
}

Create an AWS RDS MySQL user

You must create a user in your AWS RDS MySQL instance for the Apono connector and grant that user permissions to your databases.

Follow these steps to create a user and grant it database permissions:

1. Create a new user with either Built-in authentication or IAM authentication.

   ⚠️

   You can use only one authentication option on the RDS instance at a time.

   Built-in Authentication

   
   Built-in authentication identifies a user through a username and password.
   
   To set the username and password, run the following command from your MySQL client:
   
   

   CREATE USER 'apono_connector'@'%' IDENTIFIED BY 'password';
   

   Be sure to select a strong password for the user.
   
   

   
   
   IAM authentication

   
   After enabling IAM on your RDS instance, create an AWSAuthenticationPlugin user for the Apono connector. AWSAuthenticationPlugin is an AWS-provided plugin that works seamlessly with IAM to authenticate your users.
   
   

   To create the user, run the following commands from your MySQL client:
   

   CREATE USER apono_connector IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
   

   
   

2. From your preferred client tool, grant the following accesses to the user:
   

   GRANT SHOW DATABASES ON *.* TO 'apono_connector'@'%';
   GRANT CREATE USER ON *.* TO 'apono_connector'@'%';  
   GRANT UPDATE ON mysql.* TO 'apono_connector'@'%';  
   GRANT PROCESS ON *.* TO 'apono_connector'@'%';
   

   
   

   Permission	Description
   GRANT SHOW DATABASES ON . TO 'apono_connector'@'%';	Allows the user to view all databases in the RDS instance
   GRANT CREATE USER ON . TO 'apono_connector'@'%';	Grants the ability to create new users
   GRANT UPDATE ON mysql.* TO 'apono_connector'@'%';	Permits updates in the MySQL system database, including user privileges
   GRANT PROCESS ON . TO 'apono_connector'@'%';	Allows viewing the server's process list, including all executing queries

   
   

3. (IAM authentication only) Create and attach the following IAM policy to your identity center permissions set or role:
   

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "rds-db:connect"
               ],
               "Resource": [
                   "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
               ]
           },
           {
               "Effect": "Allow",
               "Action": [
                   "rds:DescribeDBInstances"
               ],
               "Resource": [
                   "arn:aws:rds:*:*:db:*"
               ]
           }
       ]
   }
   

   
   

4. (Built-in authentication only) Create an AWS secret with the credentials from step 1.

   ℹ️

   When using IAM authentication, a secret does not need to be created.

   The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the MySQL instance instead of a secret.

Integrate AWS RDS for MySQL

Follow these steps to complete the integration:

1. On the Catalog tab, click AWS RDS MySQL. The Connect AWS RDS MySQL page appears.

2. From the dropdown menu, select a connector.

   💡

   If the desired connector is not listed, click + Add new connector and follow the instructions for creating an AWS connector.

3. Click Next. The Complete setup page appears.

4. Enter a unique, alphanumeric, user-friendly Integration Name. This name is used to identify the integration when constructing an access flow.

5. From the dropdown menu, select the Auth Type of the integration. You must select the same authentication option used when creating the user (step 1).

   Option	Description
   IAM Auth	Cloud IAM authentication.
   User / Password	Built-in authentication

6. From the dropdown menu, select a Region. You may select only one region.

7. Enter the Instance ID of the RDS instance.

8. (Optional) From the SSL Mode dropdown menu, select the mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server.

   SSL Mode	Description
   require	(Recommended) An SSL-encrypted connection must be used
   allow	An SSL-encrypted or unencrypted connection is used If an SSL encrypted connection is unavailable, the unencrypted connection is used.
   disable	An unencrypted connection is used
   prefer	An SSL-encrypted connection is attempted If the encrypted connection is unavailable, the unencrypted connection is used.
   verify-ca	An SSL-encrypted connection must be used, and a server certification verification against the provided CA certificates must pass
   verify-full	An SSL-encrypted connection must be used, and a server certification verification against the provided CA certificates must pass Additionally, the server hostname is checked against the certificate's names.

9. (Optional) Enter the Credentials rotation period (in days).

10. (User / Password only) Under Secret Store, associate the secret.

    ℹ️

    A secret is not needed for IAM authentication.

11. Click Connect.

Now that you have completed this integration, you can create access flows that grant permission to your AWS RDS for MySQL database.