Skip to content

IAM Authentication for AWS RDS

This support is available from Privacera Release 9.0.2.2/9.0.4.1 onwards.

This guide provides step-by-step instructions to enable IAM authentication for RDS. IAM authentication allows you to use AWS Identity and Access Management (IAM) roles to manage database access. This feature provides a secure way to connect to your RDS database without the need to manage database credentials.

There are four Access Management services that use databases.

Service Supported Optional
Privacera Portal Yes No
Apache Ranger Admin Yes No
Privacera Ops Server Yes Yes
Privacera Scheme Server Yes Yes

The Discovery module is not supported with IAM authentication.

AWS RDS supports multiple database engines, and Privacera provides a compatibility matrix.
For more details Click here

Engine Version Supported
Aurora PostgreSQL 16.1 Yes

Prerequisites

Prerequisite Description
AWS RDS Database An existing RDS database cluster or the ability to create a new one.
AWS Management Console Access Access to the AWS Management Console. This is optional if you will be automating the setup
IAM User IAM user with privileges to modify RDS and create roles/policies.

Note

This guide uses AWS Management Console for the setup. You can also use the AWS CLI or SDK to automate the setup. Please note these steps are for reference only. Please refer to the AWS documentation for the latest instructions.

Setup

Step 1: Create or Modify an RDS Cluster

  1. Go to the AWS Management Console.
  2. Navigate to RDS:
    • Select Create Database or an Existing Database.
  3. Modify Database Settings:
    • Click on Modify.
    • Under Database Authentication, ensure that IAM database authentication is enabled.
  4. Save Changes.

Step 2: Grant Permissions on the Database

Once IAM authentication is enabled, grant the rds_iam role to the database user.

  1. Connect to the database: Use the master username and password to connect via a SQL client such as DBeaver, MySQL Workbench, psql, or AWS RDS Query Editor.
  2. Grant IAM Access (for PostgreSQL):
    SQL
    1
2
    CREATE USER "privacera" WITH LOGIN;
GRANT rds_iam TO "privacera";

Tip

  • Use privacera as the database user. If you are using a different user, then please consult Privacera's support. Also subsequent steps will need to be adjusted accordingly.
  • The rds_iam role is a predefined role that allows IAM authentication.

Step 3: Create the Privacera Database (privacera_db)

  1. Create Database for Privacer: Use the same SQL client to run the following commands to create the Privacera database and assign privileges:

    SQL
    1
2
3
4
5
    CREATE DATABASE privacera_db;

GRANT ALL PRIVILEGES ON DATABASE privacera_db TO privacera;
GRANT ALL ON SCHEMA public TO privacera;
GRANT CREATE ON SCHEMA public TO privacera;

  2. Verify Permissions: Connect to privacera_db and run the query below to verify the granted privileges:

SQL
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
SELECT r.rolname AS grantee,
       n.nspname AS schema,
       CASE
           WHEN has_schema_privilege(r.rolname, n.nspname, 'USAGE') THEN 'USAGE'
           ELSE NULL
       END AS usage_privilege,
       CASE
           WHEN has_schema_privilege(r.rolname, n.nspname, 'CREATE') THEN 'CREATE'
           ELSE NULL
       END AS create_privilege
FROM pg_roles r
JOIN pg_catalog.pg_namespace n ON n.nspname = 'public'
WHERE r.rolname = 'privacera';
The output should display all the privileges assigned to privacera in the format mentioned.

grantee schema usage_privilege create_privilege
privacera public USAGE CREATE

Step 4: Create an IAM Role and Policy for RDS

Create IAM Policy

  1. Navigate to IAMPoliciesCreate Policy.

  2. Click on the JSON tab and paste the following policy snippet:

    JSON
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "rds-db:connect",
      "Resource": "arn:aws:rds-db:<region>:<account-id>:dbuser:<db-cluster-id>/privacera"
    }
  ]
}

    Tip

    • Replace <region>, <account-id>, and <db-cluster-id> with your AWS region, account ID, and Regional cluster resource ID respectively.
    • The rds-db:connect action allows the IAM role to connect to the RDS database.
    • The database user is privacera as per the previous steps. Update the name if you are using a different user.

  3. Click Next and save the policy with the name privacera-rds-policy and a description like Privacera RDS Policy.

  4. Click on Create Policy.

Create Role for the policy

  1. Navigate to IAMRolesCreate Role.
  2. Select Trusted entity and choose Web identity.
  3. Enter Details:
    • Identity provider: Select OIDC provider.
    • Audience: sts.amazonaws.com
  4. Add Condition:
    • Key: Select OIDC provider.
    • Condition: StringLike
    • Value: system:serviceaccount:*privacera-sa
  5. Click Next.
  6. Attach Policy:
    • Enter in the search box: privacera-rds-policy.
  7. Click Next.
  8. Enter Role Details:
    • Role Name: privacera-rds-role
    • Description: This role is used by Privacera to connect to RDS.
  9. Click Create Role.

Step 5: Changes for Privacera-Manager

Changes for External DB

  1. Open Terminal and SSH to the instance where Privacera-Manager is installed.

  2. Create external DB variables in the custom-config and update properties.

    Bash
    1
2
3
4
5
    #Follow the steps below to copy the vars and update the variables. 
#If the file is already present, then file will not be overwritten.
cd privacera/privacera-manager
cp -n config/sample-vars/vars.external.db.postgres.yml config/custom-vars/
vi config/custom-vars/vars.external.db.postgres.yml
    • Update the following variables:

    YAML
    1
2
3
4
5
6
     EXTERNAL_DB_USE_IAM_AUTH: "true"
 EXTERNAL_DB_REGION: "<REGION>"

 EXTERNAL_DB_HOST: "<PLEASE_CHANGE>"
 EXTERNAL_DB_NAME: "privacera_db"
 EXTERNAL_DB_USER: "privacera"
    - Replace:

    Tip

    • REGION - AWS region where the RDS is located.
    • EXTERNAL_DB_HOST - Endpoint URL of the RDS Postgres.
    • EXTERNAL_DB_NAME - If you have created a different database, update the name here.
    • EXTERNAL_DB_USER - If you have created a different user, update the name here.

Changes for Portal

  1. Update variables for the service Portal.

  2. Copy vars to custom-config if they are not present.

    Bash
    1
2
3
4
5
    #Follow the steps below to copy the vars and update the variables.
#If the file is already present, then file will not be overwritten. 
cd privacera/privacera-manager
cp -n config/sample-vars/vars.portal.yml config/custom-vars/ 
vi config/custom-vars/vars.portal.yml

  3. Update the following variables:

    YAML
    1
2
3
    ##Update below two variables to use pod level IAM role 
PORTAL_USE_POD_IAM_ROLE: "true"
PORTAL_IAM_ROLE_ARN: "<ROLE_ARN>"

    Tip

    Replace: - ROLE_ARN - Copy the Role ARN created in the previous section. E.g. arn:aws:iam::123456789012:role/privacera-rds-role

Changes for Ranger

  1. Update Ranger variables in the custom-config.

  2. Copy vars to custom-config if they are not present.

    Bash
    1
2
3
4
5
    # Follow the steps below to copy the vars and update the variables.
# If the file is already present, then file will not be overwritten.
cd privacera/privacera-manager
cp -n config/sample-vars/vars.ranger-admin.yml config/custom-vars/
vi config/custom-vars/vars.ranger-admin.yml
    YAML
    1
2
3
    #Update below two variables to use pod level IAM role 
RANGER_USE_POD_IAM_ROLE: "true"
RANGER_IAM_ROLE_ARN: "<ROLE_ARN>"

    Tip

    Replace: - ROLE_ARN - Copy the Role ARN created in the previous section. E.g. arn:aws:iam::123456789012:role/privacera-rds-role

Changes for Ops Server

  1. Update Ops-server variables in the custom-config.

  2. Copy vars to custom-config if they are not present.

  3. Update the following variables:

    Bash
    1
2
3
4
5
6
7
    #Follow the steps below to copy the vars and update the variables.
#If the file is already present, then file will not be overwritten.
cd privacera/privacera-manager
cp -n config/sample-vars/vars.ops-server.yaml config/custom-vars/

#Update variables to use pod level IAM role 
vi config/custom-vars/vars.ops-server.yaml
    YAML
    1
2
3
    #Update variables to use pod level IAM role 
OPS_SERVER_USE_POD_IAM_ROLE: "true"
OPS_SERVER_IAM_ROLE_ARN: "<ROLE_ARN>"

    Tip

    Replace: - ROLE_ARN - Copy the Role ARN created in the previous section. E.g. arn:aws:iam::123456789012:role/privacera-rds-role

Changes for Scheme Server

  1. Update Scheme-server variables in the custom-config.

  2. Copy vars to custom-config if they are not present.

  3. Update the following variables:

    Bash
    1
2
3
4
5
6
7
    #Follow the steps below to copy the vars and update the variables.
#If the file is already present, then file will not be overwritten.
cd privacera/privacera-manager
cp -n config/sample-vars/vars.peg.yml config/custom-vars/

#Update variables to use pod level IAM role 
vi config/custom-vars/vars.peg.yml
    YAML
    1
2
3
    #Update variables to use pod level IAM role 
SCHEME_SERVER_USE_POD_IAM_ROLE: "true"
SCHEME_SERVER_IAM_ROLE_ARN: "<ROLE_ARN>"

    Tip

    Replace: - ROLE_ARN - Copy the Role ARN created in the previous section. E.g. arn:aws:iam::123456789012:role/privacera-rds-role

Step 6: Apply Changes

If you haven't completed the base installation setup, you can skip this step and continue with the base installation steps.

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1
2
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Comments