Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Granting Privileges to Oracle RDS account

0

Hi

Is there a way (i.e using RDSADMIN_UTIL package) or workaround to grant these two privileges/roles to an account in oracle RDS?

GRANT ANY PRIVILEGE GRANT ANY ROLE

I have a pl/sql application that runs on local server that connects via DB Link to local databases, run checks and use DDL to create user/application accounts and grants them some privileges/roles. I need to do the same for RDS instances.

If this is not possible, would I be able to use the RDS master account or another account with identical privs to do this or not?

Topics
AnalyticsMigration & ModernizationDatabaseSecurity, Identity, & Compliance
Tags
Amazon Relational Database ServiceRDS Custom for SQL OracleOracleIAM PoliciesDatabase
Language
English

asked a year ago558 views

1 Answer
1

Unfortunately, it is not possible to directly grant the "GRANT ANY PRIVILEGE" and "GRANT ANY ROLE" privileges to an account in Amazon RDS. These privileges are among a set of high-level system privileges that are not provided to the DBA role in RDS due to its nature as a managed service.

For security reasons, Amazon RDS restricts certain privileges, including:

  • ALTER DATABASE
  • ALTER SYSTEM
  • CREATE ANY DIRECTORY
  • DROP ANY DIRECTORY
  • GRANT ANY PRIVILEGE
  • GRANT ANY ROLE

This limitation applies to all accounts, including the RDS master account. There is no direct workaround to grant these specific privileges.

However, you can still manage user privileges and roles in RDS, albeit with some limitations. Here are some alternatives you can consider:

  1. Use the RDS master account to grant specific privileges and roles to your application accounts. While you can't use "GRANT ANY PRIVILEGE" or "GRANT ANY ROLE", you can still grant individual privileges and roles as needed.

  2. Utilize the built-in stored procedures provided by RDS for managing users, roles, and privileges. For example, in RDS for Db2, you can use procedures like rdsadmin.grant_role, rdsadmin.add_user, and rdsadmin.dbadm_grant to manage permissions.

  3. For MySQL RDS instances (version 8.0.36 and later), you can use the role-based privilege model. The rds_superuser_role includes a wide range of privileges that might be sufficient for your needs. You can grant this role to your administrative users.

  4. Review your application's requirements and grant the least privileges necessary for it to function. This approach aligns with security best practices and may help you work within RDS limitations.

  5. If your application absolutely requires these high-level privileges, you may need to consider alternative database solutions that allow more control over system-level privileges.

Remember to adapt your PL/SQL application to work within these constraints when dealing with RDS instances. Instead of using broad privilege grants, you'll need to be more specific in assigning permissions to your application accounts.
Sources
RDS Account Permissions | AWS re:Post
Role-based privilege model for RDS for MySQL - Amazon Relational Database Service
Stored procedures for granting and revoking privileges for RDS for Db2 - Amazon Relational Database Service

answered a year ago

EXPERT

reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content