Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Permissions for IAM policy and Role

0

I have a cloud account with "RDSFullAccess" and "PowerUser" permissions. Full IAM permissions are blocked by admin I assume for privacy or security.

I need to move files into/from the oracle RDS using S3 bucket and S3 integration.

I created the S3 bucket but I need to create an IAM policy to grant read/write permission for S3 bucket and create an IAM role and attach the policy to it and then assign the role to the RDS instance. What permissions do I need to get granted for doing that and is it possible without full access to IAM?

Themen
SpeicherSicherheit, Identität & KonformitätMigration und ModernisierungAnalysenDatenbankManagement & Unternehmensführung
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAmazon Relational Database ServiceAWS KontoverwaltungIAM-Richtlinien
Sprache
English
sam15
gefragt vor 9 Monaten288 Aufrufe
1 Antwort
0
Akzeptierte Antwort

You don't mention which database engine it is, but the example here for giving SQL Server access to S3 should by-and-large have what you need (you may need to tweak a few items for a different DB) https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/User.SQLServer.Options.S3-integration.html

You yourself will need a specific level of privileges within IAM to do that, which it doesn't seem that you have - PowerUserAccess gives you iam:CreateServiceLinkedRole, iam:DeleteServiceLinkedRole & iam:ListRoles which I don't think is enough for you to create a policy and attache to a role. You would need at least iam:CreatePolicy, iam:CreateRole, iam:AttachRolePolicy and maybe others https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html

profile picture
EXPERTE
Steve_M
beantwortet vor 9 Monaten
profile picture
EXPERTE
Giovanni Lauria
überprüft vor einem Monat
  • sam15
    vor 9 Monaten

    I did say it is Oracle SE RDS above. Is there a difference in the three permissions you listed for SQL? Would admin grant those directly to account and is there any security risks granting those to DBA?

  • Steve_M EXPERTE
    vor 9 Monaten

    Yes, my bad, I see now that you mentioned Oracle.

    I haven't done that myself so I'm just going by what is in the docs, but it looks like you will need the same IAM privileges as identified for SQL https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-s3-integration.html

    This goes through the same material from a slightly different viewpoint and may be of use https://aws.amazon.com/blogs/database/integrating-amazon-rds-for-oracle-with-amazon-s3/

  • sam15
    vor 9 Monaten

    The links you provided discuss the details for implementing S3 Integration but no mention of what IAM permissions needed. Did you see anything about permissions?

  • Steve_M EXPERTE
    vor 9 Monaten

    It's in my original answer

    to create a policy and attache to a role. You would need at least iam:CreatePolicy, iam:CreateRole, iam:AttachRolePolicy and maybe others

  • sam15
    vor 9 Monaten

    Is there a way to know what the "others" permissions could be so I can include them on the request?

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt