By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

RDS Account Permissions

0

Hi I migrated an oracle 19c DB from on-premise to RDS using data pump exp/imp. I noticed one application schema failed to be granted a permission "grant any role". I used the RDS master account for the grants but still did not work. grant grant any role to "MYAPP"; Error report ORA-01031: insufficient Privileges

Is there an API or a way to grant this since it seems to be only permissable by "sys" account which is not available on RDS.

Thanks,

Topics
Migration & ModernizationAnalyticsDatabaseAWS Well-Architected Framework
Tags
AWS Database Migration ServiceAmazon Relational Database ServiceOracleSecurityRDS Custom for SQL Oracle
Language
English
sam15
asked 4 months ago545 views
2 Answers
1
Accepted Answer

Because Amazon RDS is a managed service, the following privileges for the DBA role are not provided:

ALTER DATABASE
ALTER SYSTEM
CREATE ANY DIRECTORY
DROP ANY DIRECTORY
GRANT ANY PRIVILEGE
GRANT ANY ROLE

As security best practice, you need to grant least possible privilege to application DB user. Analyze the application and DB code (DBA_DEPENDENCIES) to derive the permission needed by the application user.

Refer https://repost.aws/knowledge-center/rds-oracle-user-privileges-roles for more info.

AWS
Sudip
answered 4 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • sam15
    4 months ago

    Excellent Info! If I understand your answer correctly, this privilege "grant any role" can not be granted to another user using the master account and the API "rdsadmin.rdsadmin_util.grant_sys_object" because the master account does not have that permission. Is this correct?

1

The Procedure rdsadmin.rdsadmin_util.grant_sys_object is to provide grants to a specific SYS object. But GRANT ANY ROLE is a system privilege which can not be granted by the above procedure.

AWS
Sudip
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content