How can I set up AWS Client VPN using IAM roles for authentication?

Adam A

2/19/24, 10:14 AM

Context: I am trying to set up Postgres RDS in a private_isolated subnet of a VPC. I want to use pgAdmin to do work on it, which means I either need a bastion or a VPN connection. A bastion requires a long-running EC2 instance, and I currently don't have any EC2 running at all. I would like to set up the VPN connection as that seems more to-the-point. We don't have AD or a SAML provider though - we have IAM users and SSO for starting an AWS session. UPDATE: I've realized that IAM can be used at the RDS level to allow session logins. https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/ So that covers at least a related issue.

Client VPN seems to be typically set up using AD or a SAML provider, or manually with mutual authentication using manually created certificates. The former options seem overkill - we are a tiny company and don't need AD or a separate SAML provider. Whereas the manual certificates on the other hand seem prone to human error as there is a lot required to set up the CA or to have each user upload a client certificate.

I am a n00b at sysadmin stuff. Is there a reason I can't use IAM SSO to create a secret that allows me VPN access for an hour, exactly how I do it for logging into the Management Console or using the CLI? Is this doable with the SAML option? Am I asking the wrong questions?

Thanks!

100

2 + 0

amazon-web-services

amazon-iam

vpn-client

Score:0

Server

palvarez

2/24/24, 2:53 PM

Considering you want your database in a private subnet, the only way to connect is through VPN or DirectConnect (expensive), or through an EC2 instance with access to the database (bastion) (See docs https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.Scenarios.html#USER_VPC.Scenario3).

The most cost effective way is using an EC2 instance. Instead of using SSH and get complicated with keys, you can configure the SSM agent in your instance and allow your users to access through the console. Here are the docs: https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html

+ 1

Adam A

4/4/24, 1:09 AM

While I appreciate this info, it doesn't answer the question, so I cannot mark it as accepted here. Admittedly, it may be a stupid question.

Score:0

Server

Adam A

4/4/24, 1:10 AM

So far, I have come to the conclusion that "you can't" is the short answer. There is probably some roundabout way in a bash script to use IAM users to access some cert which then gets used to connect to the VPN.

Instead, alternatives such as @palvarez mentioned may be the best solution for someone with a similar issue.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I set up AWS Client VPN using IAM roles for authentication?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.