Oracle RDS with EFS and S3 access

0

We're looking at working with Oracle RDS and using S3 & EFS integrations for different use cases. These are documented at https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-efs-integration.html and https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-s3-integration.html but there isn't an obvious way to make both coexist. The question was previously asked several months ago at https://repost.aws/community/users/US3Gymk1iXR6q89cNuA48ntg but it just says it can be done, not how to do it. The issue is regarding how to configure the IAM policies being attached to the RDS instance. Both links above say "You can associate only one IAM role with your RDS for Oracle DB instance at a time." Both EFS and S3 require a feature attached to the IAM role, EFS_INTEGRATION or S3_INTEGRATION. You can't set both features on a single IAM policy attachment and you can't attach two policies. Any advice on how to configure IAM policies to support S3 and EFS access from an Oracle RDS database?

2 Answers
0

Hi,

You say that the feature is attached to the IAM role. I don't think that it is: it is indeed attached to the options group: for RDS: see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-efs-integration.html#oracle-efs-integration.adding

aws rds add-option-to-option-group \
   --option-group-name myoptiongroup \
   --options "OptionName=EFS_INTEGRATION,OptionSettings=\ 
   [{Name=EFS_ID,Value=fs-1234567890abcdef0},{Name=USE_IAM_ROLE,Value=TRUE}]"

AFAIK. nothing prevents you to run the above command twice for your options group: once for EFS and a second time for S3.

Please, let us now if you succeeded.

Best,

Didier

profile pictureAWS
EXPERT
answered 2 months ago
  • Yes, the option group part just needs S3 and EFS added, that's fine. However, when attaching the role to the RDS instance, you have to specify a feature of S3_INTEGRATION or EFS_INTEGRATION, e.g. aws rds add-role-to-db-instance --db-instance-identifier mydbinstance --feature-name S3_INTEGRATION --role-arn your-role-arn

    The issue is that the docs say only one role can be attached, we can only use one feature per attachment and we need two features to support both EFS & S3.

0
  1. Create a single IAM role with both EFS_INTEGRATION and S3_INTEGRATION features enabled. Although the documentation says you can't set both features on a single IAM policy attachment, you can actually do so when creating the role.

  2. Attach this role to your RDS instance. This will allow your Oracle RDS database to access both EFS and S3.

Here's an example IAM role policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowEFSIntegration",
      "Effect": "Allow",
      "Action": "elasticfilesystem:Client*",
      "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*"
    },
    {
      "Sid": "AllowS3Integration",
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}
profile picture
EXPERT
Sandeep
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions