Some questions that aren't clear from the video: 1) I just use the EC2 service for the IAM role, correct? 2) Does the IAM role need to be attached to a specific instance? 3) What or who's credentials am I meant to be using for AWS CLI access in order to run the "aws RDS generate-db-auth-token" command? I've followed the guide precisely but some areas aren't detailed enough and I'm failing to log in with the authtoken that I'm generating. Thanks.
In the pre-requisite 3 of the document, you see the permissions that are attached to the role. The ec2 instance will leverage these permission to generate the token and use the same to communicate to the RDS Instance.
(YMMV)If the number of connections to your database is going to be very low, then you can still use this in production. But those kind of uses cases are very rare. Ideally, you will have a userid/password for your db to connect.
This really gave good insights to how to connect to MySQL with IAM. Do you have any video on PostgreSQL with same requirement...if not would love to see one. Thanks!
PostgreSQL should (most probably) use similar syntax. Shouldn't be too difficult to set it up yourself based on this one. If you have any difficulty let us know, We can help. Good Luck; Happy Learning
We are using postgre rds and we tried all this procedures for IAM authentication to postgrerds but it's not working can you please post a video regarding postgre rds
thanks for Video. So if I have 100 users should I attach 100 inline policies to my EC2? Do I still need to attach inline policy, even after creating db account for user and configuring him with RDS to connect through IAM?
Inline policies can't be attached, as they only live inside a single place inside a role. The permissions he's adding is the ROLE that the EC2 will ASSUME when interacting with the database. It simply allows the EC2 permissions to "rds:connect" to the resource (user@database). Any number of ec2's could assume that role simultaneously. You could also create a single policy attached to a single iam group and add your users there. If there's a use case where your EC2 might have to connect to a database as 100 different users, I would suggest adding a wildcard to the policy expression where the username is, but my gut says there's a better overall solution for what you might be trying to accomplish.
Interesting question, I dont know the features of workbench. I would look to see if workbench can leverage the role/credentials from environment variables.
This video is available in High Definition @ 1080p. Can you please try changing the resolution of the video when you are watching? RUclips usually adjusts it based on your internet speed.
I was able to genrate the token without token variable, however, when I try to authenticate the last step I get the following error: ERROR 1045 (28000): Access denied for user 'db_iam_user'@'172.x.x.xxx' (using password: YES). I haven't figured it out yet...
Thanks for the video, this is my starting point in MySQL-IAM
Some questions that aren't clear from the video:
1) I just use the EC2 service for the IAM role, correct?
2) Does the IAM role need to be attached to a specific instance?
3) What or who's credentials am I meant to be using for AWS CLI access in order to run the "aws RDS generate-db-auth-token" command?
I've followed the guide precisely but some areas aren't detailed enough and I'm failing to log in with the authtoken that I'm generating.
Thanks.
In the pre-requisite 3 of the document, you see the permissions that are attached to the role. The ec2 instance will leverage these permission to generate the token and use the same to communicate to the RDS Instance.
Here you explained, it is not suitable for production, what your suggested best practice for production. Thank you.
(YMMV)If the number of connections to your database is going to be very low, then you can still use this in production. But those kind of uses cases are very rare.
Ideally, you will have a userid/password for your db to connect.
This really gave good insights to how to connect to MySQL with IAM. Do you have any video on PostgreSQL with same requirement...if not would love to see one. Thanks!
PostgreSQL should (most probably) use similar syntax. Shouldn't be too difficult to set it up yourself based on this one. If you have any difficulty let us know, We can help. Good Luck; Happy Learning
We are using postgre rds and we tried all this procedures for IAM authentication to postgrerds but it's not working can you please post a video regarding postgre rds
you dont need to have mysql service running in the "tux" box, you only need to have the mysql client installed
Correct! Can you raise a 'Pull Request(PR)"?
@@ValaxyTechnologies More than happy to ;) github.com/miztiik/AWS-Demos/pull/9
thanks for Video. So if I have 100 users should I attach 100 inline policies to my EC2? Do I still need to attach inline policy, even after creating db account for user and configuring him with RDS to connect through IAM?
Inline policies can't be attached, as they only live inside a single place inside a role. The permissions he's adding is the ROLE that the EC2 will ASSUME when interacting with the database. It simply allows the EC2 permissions to "rds:connect" to the resource (user@database). Any number of ec2's could assume that role simultaneously.
You could also create a single policy attached to a single iam group and add your users there.
If there's a use case where your EC2 might have to connect to a database as 100 different users, I would suggest adding a wildcard to the policy expression where the username is, but my gut says there's a better overall solution for what you might be trying to accomplish.
There is a way to use IAM to connect with MySQLWorkbench?
Interesting question, I dont know the features of workbench.
I would look to see if workbench can leverage the role/credentials from environment variables.
aws.amazon.com/blogs/database/use-iam-authentication-to-connect-with-sql-workbenchj-to-amazon-aurora-mysql-or-amazon-rds-for-mysql/
The screen was not clear..
This video is available in High Definition @ 1080p. Can you please try changing the resolution of the video when you are watching? RUclips usually adjusts it based on your internet speed.
I was able to genrate the token without token variable, however, when I try to authenticate the last step I get the following error: ERROR 1045 (28000): Access denied for user 'db_iam_user'@'172.x.x.xxx' (using password: YES). I haven't figured it out yet...