- Newest
- Most votes
- Most comments
Can you confirm it's definitely AmazonRDSFullAccess policy that the user has attached, and not a similar-sounding one like AmazonRDSDataFullAccess (or more unlikely, but worth checking, AmazonRDSPerformanceInsightsFullAccess )?
AmazonRDSFullAccess should definitely allow the user to rds:CreateDBSubnetGroup because of the very first action at the top of the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:*",
As the AI-bot says in item 5, if the account is part of AWS Organizations check there is no Service Control Policy applied to the account or its parent OU that might be preventing this.
To resolve the permission issue you're encountering while trying to create an RDS PostgreSQL database, you'll need to ensure that the user has the necessary permissions beyond just the RDS Full Access policy. Here's what you should do:
-
First, verify that the RDS Full Access policy is correctly attached to the user's IAM role or directly to the user.
-
The error message indicates that the user lacks permission for the specific action "rds:CreateDBSubnetGroup". This suggests that you may need to add this permission explicitly.
-
Create a custom IAM policy that includes the "rds:CreateDBSubnetGroup" action, along with other necessary RDS-related actions. You can attach this policy to the user or their role in addition to the RDS Full Access policy.
-
Ensure that the user also has permissions for related VPC actions, as creating a DB subnet group involves working with VPC resources. This might include permissions like "ec2:DescribeVpcs", "ec2:DescribeSubnets", etc.
-
If you're using AWS Organizations or Service Control Policies (SCPs), check if there are any restrictions at the organization level that might be preventing the action.
-
Double-check that you're operating in the correct AWS region and account where the user has the intended permissions.
-
If you're still encountering issues after adding these permissions, you may need to grant additional related permissions such as "rds:CreateDBInstance" and "rds:DescribeDBSubnetGroups".
Remember, it's a best practice to follow the principle of least privilege and only grant the permissions necessary for the task at hand. If you don't plan to attach this RDS instance to an EC2 instance, you don't need to worry about EC2-related permissions for now.
If you continue to face issues after implementing these changes, consider reviewing the full set of permissions required for RDS management and consult AWS documentation for a comprehensive list of necessary actions.
Sources
CloudQuest - Database in practice step - permissions issue | AWS re:Post
Why can't I access my RDS? | AWS re:Post
Correct, I have verified it. One of the AWS posts said, you may still need to give it explicitly, so in addition to AmazonRDSFullAccess being there, I still created a policy which specifically allowing rds:CreateDBSubnetGroup
Also there is a SCP - AWS Full Access applied
That shouldn't be needed, although it wouldn't hurt to try. Did it make a difference?