Score:0

AWS Policy to Read/write RDS

us flag

In my scenario , I want a policy that will allow reading and writing of abc-database-backups/rds/postgresql-backup on S3? We'll want the my servers to have that access added.

Is creating a role and attaching it to the servers is best or adding a key to the server?

I tried this :

aws iam create-policy \
     --policy-name rds-s3-integration-policy \
     --policy-document '{
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": "s3:ListAllMyBuckets",
                    "Resource": "*"
                },
                {
                    "Effect": "Allow",
                    "Action": [
                        "s3:ListBucket",
                        "s3:GetBucketACL",
                        "s3:GetBucketLocation"
                    ],
                    "Resource": "arn:aws:s3:::bucket_name"
                },
                {
                    "Effect": "Allow",
                    "Action": [
                        "s3:GetObject",
                        "s3:PutObject",
                        "s3:ListMultipartUploadParts",
                        "s3:AbortMultipartUpload"
                    ],
                    "Resource": "arn:aws:s3:::bucket_name/key_prefix/*"
                }
            ]
        }' 

I would be very grateful for any help, as my experience in this field is somewhat limited.

Tim avatar
gp flag
Tim
Perhaps you could clarify your question. Are you wanting PostgreSQL on which platform (RDS / EC2) to have access to a specific S3 bucket? This tends to be done with a role. Please include the role definition. It's easier to show the role and policy directly rather than the CLI command to create them.
samtech avatar
us flag
Yes, I want PostgreSQL on RDS to have access to a specific S3 bucket. what is your best advise here , Is creating a role and attaching it to the servers is best or adding a key to the server?
Score:0
gp flag
Tim

Use a service linked role for RDS to provide access to S3 and any other named resources you require. Ensure the RDS instance has this role. You should also read this doc about importing S3 data into RDS PostgreSQL using an extension.

I've adapted some CloudFormation infrastructure as code I have which should set up a role. You'll want to modify the permissions and bucket name to suit your requirements. It should work as-is but I did have to massage my existing code so if it doesn't work 100% please edit the post or comment so I can edit it.

AWSTemplateFormatVersion: '2010-09-09'
Description: Role for RDS

Resources:    
    RdsS3IntegrationRole:
        Type: AWS::IAM::Role
        Properties:
            RoleName: RdsS3IntegrationRole
            AssumeRolePolicyDocument:
                Version: 2012-10-17
                Statement:
                    -
                        Effect: Allow
                        Principal:
                            Service:
                                - rds.amazonaws.com
                        Action:
                            - sts:AssumeRole
                
    RDSS3IntegrationPolicy:
        Type: AWS::IAM::Policy
        Properties:
            Roles:
                - !Ref 'RdsS3IntegrationRole'
            PolicyName: RDSS3IntegrationPolicy
            PolicyDocument:
                Statement:
                    - Effect: Allow
                        Action:
                            - s3:GetObject
                            - s3:ListBucket 
                            - s3:PutObject 
                        Resource:
                            - !Sub 'arn:aws:s3:::bucketname/*'
                            - !Sub 'arn:aws:s3:::bucketname'
                    - Effect: Allow
                        Action:
                            - kms:Decrypt
                            - kms:Encrypt
                            - kms:GenerateDataKey
                            - kms:ReEncryptTo
                            - kms:DescribeKey
                            - kms:ReEncryptFrom
                        Resource:
                            - !Sub 'arn:aws:kms:ap-southeast-2:${AWS::AccountId}:key/*'
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.