AWS RDS PostgreSQL

PostgreSQL databases are open-source relational database management systems emphasizing extensibility and SQL compliance. AWS enables developers to create cloud-hosted PostgreSQL databases.

Through this integration, Apono helps you securely manage access to your AWS RDS for PostgreSQL instances.

Prerequisites

Before starting this integration, create the items listed in the following table.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "rds-db:connect",
            "Resource": "arn:aws:rds-db:*:*:dbuser:*/apono_connector",
            "Effect": "Allow"
        }
    ]
}

Create an AWS RDS PostgreSQL user

You must create a user in your AWS RDS PostgreSQL instance for the Apono connector and grant that user permissions to your databases.

Follow these steps to create a user and grant it database permissions:

1. Create a new user with either Built-in authentication or IAM authentication.

   ⚠️

   You can use only one authentication option on the RDS instance at a time.

   Built-in Authentication

   
   Built-in authentication identifies a user through a username and password.
   
   To set the username and password, run the following command from your Postgre client:
   
   

   CREATE USER 'apono_connector'@'%' IDENTIFIED BY 'password';
   

   Be sure to select a strong password for the user.
   
   

   
   
   IAM authentication

   
   After enabling IAM on your RDS instance, create an AWSAuthenticationPlugin user for the Apono connector. AWSAuthenticationPlugin is an AWS-provided plugin that works seamlessly with IAM to authenticate your users.
   
   

   To create the user, run the following commands from your Postgre client:
   

   CREATE USER apono_connector;
   GRANT rds_iam TO apono_connector;
   

   
   

2. From your preferred client tool, grant rds_superuser access to the user:
   

   ALTER USER apono_connector WITH CREATEROLE;
   GRANT rds_superuser TO apono_connector;
   

   
   

   Permission	Description
   ALTER USER apono_connector WITH CREATEROLE;	Allows the Apono connector to create, alter, and drop user roles
   GRANT rds_superuser TO apono_connector;	Assigns the RDS superuser role to the Apono connector, providing comprehensive permissions for database management

   
   

3. (IAM authentication only) Create and attach the following IAM policy to your identity center permissions set or role:
   

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "rds-db:connect"
               ],
               "Resource": [
                   "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}"
               ]
           },
           {
               "Effect": "Allow",
               "Action": [
                   "rds:DescribeDBInstances"
               ],
               "Resource": [
                   "arn:aws:rds:*:*:db:*"
               ]
           }
       ]
   }
   

   
   

4. (Built-in authentication only) Create an AWS secret with the credentials from step 1.

   ℹ️

   When using IAM authentication, a secret does not need to be created.

   The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the PostgreSQL instance instead of a secret.

Integrate AWS RDS for PostgreSQL

Follow these steps to complete the integration:

1. On the Catalog tab, click AWS RDS PostgreSQL. The Connect AWS RDS PostgreSQL page appears.

2. From the dropdown menu, select a connector.

   💡

   If the desired connector is not listed, click + Add new connector and follow the instructions for creating an AWS connector.

3. Under Select resource types, click one or more resource types and cloud services to sync with Apono.

4. Click Next. The Complete setup page appears.

5. Enter a unique, alphanumeric, user-friendly Integration Name. This name is used to identify the integration when constructing an access flow.

6. From the dropdown menu, select the Auth Type of the integration. You must select the same authentication option used when creating the user (step 1).

   Option	Description
   IAM Auth	Cloud IAM authentication.
   User / Password	Built-in authentication

7. From the dropdown menu, select a Region. You may select only one region.

8. Enter the Instance ID of the RDS instance.

9. (Optional) From the SSL Mode dropdown menu, select the mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server.

   SSL Mode	Description
   require	(Recommended) An SSL-encrypted connection must be used
   allow	An SSL-encrypted or unencrypted connection is used If an SSL encrypted connection is unavailable, the unencrypted connection is used.
   disable	An unencrypted connection is used
   prefer	An SSL-encrypted connection is attempted If the encrypted connection is unavailable, the unencrypted connection is used.
   verify-ca	An SSL-encrypted connection must be used, and a server certification verification against the provided CA certificates must pass
   verify-full	An SSL-encrypted connection must be used, and a server certification verification against the provided CA certificates must pass Additionally, the server hostname is checked against the certificate's names.

10. (Optional) Enter the Credentials rotation period (in days).

11. (User / Password only) Under Secret Store, associate the secret.

    ℹ️

    A secret is not needed for IAM authentication.

12. Click Connect.

Now that you have completed this integration, you can create access flows that grant permission to your AWS RDS for PostgreSQL database.