By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What is the role of an these Aurora3 user ?( AWS_COMPREHEND_ACCESS, AWS_LAMBDA_ACCESS, AWS_LOAD_S3_ACCESS,AWS_SAGEMAKER_ACCESS,AWS_SELECT_S3_ACCESS) And how to change plugin of these user

0

1.AWS_COMPREHEND_ACCESS 2.AWS_LAMBDA_ACCESS 3.AWS_LOAD_S3_ACCESS 4.AWS_SAGEMAKER_ACCESS 5. AWS_SELECT_S3_ACCESS

I want to change these five Aurora3 mysql user's plugin from 'mysql_native_password' to 'sha256_password'. but i can't . i have two question about this issue.

  1. What is the role of an these five user ?
  2. How to change these user's plugin from 'mysql_native_password' to 'sha256_password'.

Thank you.

Topics
AnalyticsDatabase
Tags
Amazon Aurora
Language
English
rePost-User-6438623
asked a year ago412 views
1 Answer
0

Dear Customer,

Hope you are in good health.

After going through the post, I understand that you would like to know the role of these users AWS_COMPREHEND_ACCESS , AWS_LAMBDA_ACCESS , AWS_LOAD_S3_ACCESS , AWS_SAGEMAKER_ACCESS , AWS_SELECT_S3_ACCESS and you were unable to change the user's plugin from 'mysql_native_password' to 'sha256_password' for mnetioned users.

Please correct me if I misunderstood your query.

Please allow me to answer your query :

  1. What is the role of these five users ?

Ans : Aurora MySQL version 3 includes roles that you can use to access other AWS services. You can set these roles as an alternative to GRANT statements. For example, you specify GRANT AWS_LAMBDA_ACCESS TO user instead of GRANT INVOKE LAMBDA ON . TO user .

Please review below document for more details on integrating Aurora MySQL with other AWS services :

[+] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.html

Below are the uses of 5 users mentioned which are available in Aurora version 3 by default :

  1. AWS_LAMBDA_ACCESS role : Used as an alternative to the INVOKE LAMBDA privilege.

For usage information, Invoking a Lambda function from an Amazon Aurora MySQL DB cluster. [+] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Lambda.html

  1. AWS_LOAD_S3_ACCESS role : Used as an alternative to the LOAD FROM S3 privilege.

For usage information, see Loading data into an Amazon Aurora MySQL DB cluster from text files in an Amazon S3 bucket. [+] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.LoadFromS3.html

  1. AWS_SELECT_S3_ACCESS role : Used as an alternative to the SELECT INTO S3 privilege.

For usage information, see Saving data from an Amazon Aurora MySQL DB cluster into text files in an Amazon S3 bucket. [+] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.SaveIntoS3.html

  1. AWS_SAGEMAKER_ACCESS role : Used as an alternative to the INVOKE SAGEMAKER privilege.

For usage information, see Using Amazon Aurora machine learning with Aurora MySQL. [+] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/mysql-ml.html

  1. AWS_COMPREHEND_ACCESS role, Used as an alternative to the INVOKE COMPREHEND privilege.

For usage information, see Using Amazon Aurora machine learning with Aurora MySQL. [+] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/mysql-ml.html

When you grant access by using above roles in Aurora MySQL version 3, you also activate the role by using the SET ROLE role_name or SET ROLE ALL statement. The following example shows how. Substitute the appropriate role name for AWS_SELECT_S3_ACCESS.

Grant role to user

mysql> GRANT AWS_SELECT_S3_ACCESS TO 'user'@'domain-or-ip-address'

Check the current roles for your user. In this case, the AWS_SELECT_S3_ACCESS role has not been activated.

Only the rds_superuser_role is currently in effect.

mysql> SELECT CURRENT_ROLE(); +--------------------------+ | CURRENT_ROLE() | +--------------------------+ | rds_superuser_role@% | +--------------------------+ 1 row in set (0.00 sec)

Activate all roles associated with this user using SET ROLE.

You can activate specific roles or all roles.

In this case, the user only has 2 roles, so we specify ALL.

mysql> SET ROLE ALL; Query OK, 0 rows affected (0.00 sec)

Verify role is now active

mysql> SELECT CURRENT_ROLE();

+--------------------------------------------------+ | CURRENT_ROLE() | +--------------------------------------------------+ | AWS_LAMBDA_ACCESS@%,rds_superuser_role@% | +--------------------------------------------------+

  1. How to change these user's plugin from 'mysql_native_password' to 'sha256_password' ?

Ans : As RDS is a managed service and uses ' mysql _native_password' as default. You can't change the default_authentication_plugin setting. However you can create users with specific authentication plugins and change them based on your rquirement .

Unfortunately it is not possible to change the authentication plugins for these users AWS_COMPREHEND_ACCESS , AWS_LAMBDA_ACCESS , AWS_LOAD_S3_ACCESS , AWS_SAGEMAKER_ACCESS , AWS_SELECT_S3_ACCESS as they are built in by default.

For more details , please refer below document :

[+] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.AuroraMySQL.Compare-80-v3.html#AuroraMySQL.privilege-model

I hope above information was helpful . Should you need any more information I request you to raise a case with RDS Support team and we will be happy to help you .

Have a great day ahead !

AWS
rePost-User-8858586
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content