Permissions for IAM policy and Role

0

I have a cloud account with "RDSFullAccess" and "PowerUser" permissions. Full IAM permissions are blocked by admin I assume for privacy or security.

I need to move files into/from the oracle RDS using S3 bucket and S3 integration.

I created the S3 bucket but I need to create an IAM policy to grant read/write permission for S3 bucket and create an IAM role and attach the policy to it and then assign the role to the RDS instance. What permissions do I need to get granted for doing that and is it possible without full access to IAM?

1 Answer
1
Accepted Answer

You don't mention which database engine it is, but the example here for giving SQL Server access to S3 should by-and-large have what you need (you may need to tweak a few items for a different DB) https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/User.SQLServer.Options.S3-integration.html

You yourself will need a specific level of privileges within IAM to do that, which it doesn't seem that you have - PowerUserAccess gives you iam:CreateServiceLinkedRole, iam:DeleteServiceLinkedRole & iam:ListRoles which I don't think is enough for you to create a policy and attache to a role. You would need at least iam:CreatePolicy, iam:CreateRole, iam:AttachRolePolicy and maybe others https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html

profile picture
EXPERT
Steve_M
answered 9 months ago
profile picture
EXPERT
reviewed 8 days ago
profile picture
EXPERT
reviewed 2 months ago
  • I did say it is Oracle SE RDS above. Is there a difference in the three permissions you listed for SQL? Would admin grant those directly to account and is there any security risks granting those to DBA?

  • Yes, my bad, I see now that you mentioned Oracle.

    I haven't done that myself so I'm just going by what is in the docs, but it looks like you will need the same IAM privileges as identified for SQL https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-s3-integration.html

    This goes through the same material from a slightly different viewpoint and may be of use https://aws.amazon.com/blogs/database/integrating-amazon-rds-for-oracle-with-amazon-s3/

  • The links you provided discuss the details for implementing S3 Integration but no mention of what IAM permissions needed. Did you see anything about permissions?

  • It's in my original answer

    to create a policy and attache to a role. You would need at least iam:CreatePolicy, iam:CreateRole, iam:AttachRolePolicy and maybe others

  • Is there a way to know what the "others" permissions could be so I can include them on the request?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions