I'm using Cloudformation to build out a stack that includes a Postgres RDS instance, defined in the code snippet below. What I have found is that the values I've specified in parameters for DatabaseUser
and DatabasePassword
are ultimately not the values being used. Browsing to RDS in the AWS console, I can see that the DatabaseUser
seems to be a randomly generated string (rather than postgres
as I've specified in parameters), and the password is not visible, but my attempts to connect to the RDS instance fail: FATAL: password authentication failed for user "<random string>"
. I assume the password has also been generated, rather than using the value I've configured in the parameter.
I appreciate there are more secure ways of authenticating (I'm now reading about SecretsManager), but I'm a beginner - one step at a time. Figuring out and adding SecretsManager here is a lot of overhead for me. Right now my RDS instance is on a private subnet and I'm having to connect using SSM Agent and port forwarding, I figure that's secure enough for a start.
Is it not possible to set DB user/pw using parameters in my Cloudformation configs?
This is somewhat important for me since I'm working on some further automation. Even if I do get this working, will the password eventually be rotated anyway? Would SecretsManager be the only reliable way for me to be able to automate connections to my RDS instance?
"Database": {
"Type": "AWS::RDS::DBInstance",
"DeletionPolicy": "Delete",
"Properties": {
"Engine" : "postgres",
"DBName" : { "Fn::Join": [ "", { "Fn::Split": [ "-", { "Ref": "ApplicationName" } ]} ] },
"DBInstanceClass" : { "Ref": "DBInstanceType" },
"DBSubnetGroupName" : { "Ref": "DBSubnetGroup" },
"StorageType" : { "Ref": "DBStorageType" },
"AllocatedStorage" : { "Ref": "DBAllocatedStorage" },
"MasterUsername" : { "Ref": "DatabaseUser" },
"MasterUserPassword" : { "Ref": "DatabasePassword" },
"VPCSecurityGroups" : [
{ "Ref": "DBSecurityGroup" }
]
}
}