By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Permissions for IAM policy and Role

0

I have a cloud account with "RDSFullAccess" and "PowerUser" permissions. Full IAM permissions are blocked by admin I assume for privacy or security.

I need to move files into/from the oracle RDS using S3 bucket and S3 integration.

I created the S3 bucket but I need to create an IAM policy to grant read/write permission for S3 bucket and create an IAM role and attach the policy to it and then assign the role to the RDS instance. What permissions do I need to get granted for doing that and is it possible without full access to IAM?

Topics
StorageSecurity, Identity, & ComplianceMigration & ModernizationAnalyticsDatabaseManagement & Governance
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAmazon Relational Database ServiceAWS Account ManagementIAM Policies
Language
English
sam15
asked 8 months ago279 views
1 Answer
0
Accepted Answer

You don't mention which database engine it is, but the example here for giving SQL Server access to S3 should by-and-large have what you need (you may need to tweak a few items for a different DB) https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/User.SQLServer.Options.S3-integration.html

You yourself will need a specific level of privileges within IAM to do that, which it doesn't seem that you have - PowerUserAccess gives you iam:CreateServiceLinkedRole, iam:DeleteServiceLinkedRole & iam:ListRoles which I don't think is enough for you to create a policy and attache to a role. You would need at least iam:CreatePolicy, iam:CreateRole, iam:AttachRolePolicy and maybe others https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html

profile picture
EXPERT
Steve_M
answered 8 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed 24 days ago
  • sam15
    8 months ago

    I did say it is Oracle SE RDS above. Is there a difference in the three permissions you listed for SQL? Would admin grant those directly to account and is there any security risks granting those to DBA?

  • Steve_M EXPERT
    8 months ago

    Yes, my bad, I see now that you mentioned Oracle.

    I haven't done that myself so I'm just going by what is in the docs, but it looks like you will need the same IAM privileges as identified for SQL https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-s3-integration.html

    This goes through the same material from a slightly different viewpoint and may be of use https://aws.amazon.com/blogs/database/integrating-amazon-rds-for-oracle-with-amazon-s3/

  • sam15
    8 months ago

    The links you provided discuss the details for implementing S3 Integration but no mention of what IAM permissions needed. Did you see anything about permissions?

  • Steve_M EXPERT
    8 months ago

    It's in my original answer

    to create a policy and attache to a role. You would need at least iam:CreatePolicy, iam:CreateRole, iam:AttachRolePolicy and maybe others

  • sam15
    8 months ago

    Is there a way to know what the "others" permissions could be so I can include them on the request?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content