AWS RDS PostgreSQL
Integrate with AWS-managed PostgreSQL for secure access management
PostgreSQL databases are open-source relational database management systems emphasizing extensibility and SQL compliance. AWS enables developers to create cloud-hosted PostgreSQL databases.
Through this integration, Apono helps you securely manage access to your AWS RDS for PostgreSQL instances.
Prerequisites
Before starting this integration, create the items listed in the following table.
Item | Description |
---|---|
Apono connector | On-prem connection with network access to your AWS RDS for PostgreSQL instances
Minimum Required Version: 1.5.3 Use the following steps to update an existing connector. NOTE: When installing the Apono connector with CloudFormation, the AWS RDS database policy is automatically created. If you do not use CloudFormation, you must create the following policy and assign it to the Apono connector role.
|
PostgreSQL Info | Information for the database instance to be integrated:
|
AWS Tag | (Optional) Metadata label assigned to AWS resources
Adding an AWS tag enables Apono to discover and add resources on your behalf. When adding an AWS tag, use the following information:
|
Create an AWS RDS PostgreSQL user
You must create a user in your AWS RDS PostgreSQL instance for the Apono connector and grant that user permissions to your databases.
Follow these steps to create a user and grant it database permissions:
-
Create a new user with either Built-in authentication or IAM authentication.
You can use only one authentication option on the RDS instance at a time.
Built-in Authentication
Built-in authentication identifies a user through a username and password.
To set the username and password, run the following command from your Postgre client:
CREATE USER 'apono_connector'@'%' IDENTIFIED BY 'password';
Be sure to select a strong password for the user.
IAM authentication
After enabling IAM on your RDS instance, create an AWSAuthenticationPlugin user for the Apono connector. AWSAuthenticationPlugin is an AWS-provided plugin that works seamlessly with IAM to authenticate your users.
To create the user, run the following commands from your Postgre client:
CREATE USER apono_connector; GRANT rds_iam TO apono_connector;
-
From your preferred client tool, grant
rds_superuser
access to the user:ALTER USER apono_connector WITH CREATEROLE; GRANT rds_superuser TO apono_connector;
Permission Description ALTER USER apono_connector WITH CREATEROLE; Allows the Apono connector to create, alter, and drop user roles GRANT rds_superuser TO apono_connector; Assigns the RDS superuser role to the Apono connector, providing comprehensive permissions for database management
-
(IAM authentication only) Create and attach the following IAM policy to your identity center permissions set or role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds-db:connect" ], "Resource": [ "arn:aws:rds-db:*:*:dbuser:*/${SAML:sub}" ] }, { "Effect": "Allow", "Action": [ "rds:DescribeDBInstances" ], "Resource": [ "arn:aws:rds:*:*:db:*" ] } ] }
-
(Built-in authentication only) Create an AWS secret with the credentials from step 1.
When using IAM authentication, a secret does not need to be created.
The service account and its permissions are managed through IAM roles and policies. The service account is used to authenticate the PostgreSQL instance instead of a secret.
Integrate AWS RDS for PostgreSQL
Follow these steps to complete the integration:
-
On the Catalog tab, click AWS RDS PostgreSQL. The Connect AWS RDS PostgreSQL page appears.
-
From the dropdown menu, select a connector.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an AWS connector.
-
Under Select resource types, click one or more resource types and cloud services to sync with Apono.
-
Click Next. The Complete setup page appears.
-
Enter a unique, alphanumeric, user-friendly Integration Name. This name is used to identify the integration when constructing an access flow.
-
From the dropdown menu, select the Auth Type of the integration. You must select the same authentication option used when creating the user (step 1).
Option Description IAM Auth Cloud IAM authentication. User / Password Built-in authentication -
From the dropdown menu, select a Region. You may select only one region.
-
Enter the Instance ID of the RDS instance.
-
(Optional) From the SSL Mode dropdown menu, select the mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server.
SSL Mode Description require (Recommended) An SSL-encrypted connection must be used allow An SSL-encrypted or unencrypted connection is used
If an SSL encrypted connection is unavailable, the unencrypted connection is used.disable An unencrypted connection is used prefer An SSL-encrypted connection is attempted
If the encrypted connection is unavailable, the unencrypted connection is used.verify-ca An SSL-encrypted connection must be used, and a server certification verification against the provided CA certificates must pass verify-full An SSL-encrypted connection must be used, and a server certification verification against the provided CA certificates must pass
Additionally, the server hostname is checked against the certificate's names. -
(Optional) Enter the Credentials rotation period (in days).
-
(User / Password only) Under Secret Store, associate the secret.
A secret is not needed for IAM authentication.
-
Click Connect.
Now that you have completed this integration, you can create access flows that grant permission to your AWS RDS for PostgreSQL database.
Updated about 1 month ago