Questions tagged with Database

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Can RDS Proxy support RLS patterns, with many sets of DB credentials dynamically added? Are there alternatives to this pattern for multi-tenant setups / SaaS architectures?

_tl;dr;_ I want to create a separate DB user account for each tenant in a SaaS, to support multi-tenant setup for PostgreSQL db using Row Level Security (RLS). It seems this isn't possible or practical with RDS Proxy because the SDK doesn't allow for easy management of secrets / credentials associated with RDS Proxy. What am I missing? How can I achieve a multi-tenant RLS setup with RDS Proxy and PostgreSQL RLS? I'm trying to create a SaaS with a multi-tenant DB setup. RDS Aurora Postgres. **Each tenant in the database === a DB account** (see: https://aws.amazon.com/blogs/database/multi-tenant-data-isolation-with-postgresql-row-level-security/). This was going fairly well when I was in the PoC stage, because I ignorantly put off storing DB secrets in secret manager and just had a few sample accounts setup to test things out. That said, I've recently realized that with RDS Proxy you need to actually add each database credential to the proxy in order to be able to use that credential through the proxy... and that's not something that happens instantly, it can take an unknown amount of time for RDS Proxy to be updated, and frankly I'm not sure how well this would scale adding potentially hundreds or even thousands of credentials to RDS Proxy. I had hoped / thought _maybe_ that using the "IAM Authentication" would solve the issue, but although it doesn't seem super well documented / clear (at least not through the AWS console), I _think_ IAM Authentication doesn't do anything for us unless we're using SQL server: > IAM Authentication. Choose whether to require, allow, or disallow IAM authentication for connections to your proxy. **The allow option is only valid for proxies for RDS for SQL Server**. The choice of IAM authentication or native database authentication applies to all DB users that access this proxy. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-setup.html If I'm misunderstanding something here I'd love to know, and would really appreciate any advice. I feel like I'm fighting a loosing battle with my current approach and would love to know if there is something I'm missing that would salvage things! If not, then I'm left either 1. Figure out how to programmatically add secrets / users to the DB Proxy - I think https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-rds/interfaces/modifydbproxyrequest.html#auth is perhaps _a_ mechanism I could use, but again it doesn't feel like it was really built for this - each time a user registered, it looks like I'd have to basically update the entire proxy, I can't "just" add a single user. 2. Switch away from the "each user in the SaaS has a separate DB user" approach to something else, essentially putting the onus of security back on the application layer (which was my entire goal of using RLS originally). 3. ?? Note that [the AWS documentation on RDS Proxy and adding database users](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-managing.html#rds-proxy-new-db-user) of course says that you can certain add DB users, this I know, **the issue is adding users at scale, dynamically, via the SDK** - it just doesn't feel like RDS Proxy is designed for this (for understandable reasons I might add, I realize there is probably a fair amount of complexity hidden in RDS Proxy).
0
answers
0
votes
15
views
asked a month ago

Cannot resolve host of RDS endpoint in private subnet via VPN client endpoint

I have an AWS VPC VPN client endpoint setup to connect to 2 private subnets. Inside these private subnets is a RDS instance and an EC2 instance running an application server (aka "control plane server"). The private subnets are provided access to the external internet (So servers can download packages and such) via a public subnet with a NAT -> internet gateway. ![Network topology diagram](/media/postImages/original/IMmq5arvCkQbu7gwTh99Wpqg) I have successfully connected to the VPN from my laptop and even SSH-ed into the "control plane server". However from my laptop, connected to the VPN, I cannot connect to the RDS endpoint. I get the error: ``` lookup <rds instance ID>.<random>.us-east-2.rds.amazonaws.com on [2600:4040:5710:9100::1]:53: no such host ``` This seems to be an error related to looking up the RDS endpoint's IP address. To debug this I used the `dig` tool from my laptop and from within an SSH session of the "control plane server". I found that from my laptop, whether or not I'm connected to the VPN, `dig <rds instance ID>.<random>.us-east-2.rds.amazonaws.com` returns 0 answers. However my laptop isn't completely clueless about this URL. I can ask for the name servers and `dig` returns the name servers `ns-573.awsdns-07.net. awsdns-hostmaster.amazon.com.`. If I SSH into the "control plane server" I actually get an `A` record back for the RDS endpoint URL. It's an IP address in the `10.1.2.0/24` subnet. I also get back the same name server results. I have tried disabling split-tunnel mode on the VPN and I get the same `dig` results from my laptop. I cannot exactly give my entire network configuration with all the security groups and such, but I followed [this RDS over VPN official AWS guide](https://aws.amazon.com/blogs/database/accessing-an-amazon-rds-instance-remotely-using-aws-client-vpn/) almost exactly. The only modifications were adding a public subnet with a NAT -> IGW and the modification described in the following paragraph. I had one question about the guide however, to me the security group rules laid out regarding VPN client CIDRs didn't make sense. ![Screenshot from AWS guide highlighting IP mismatch](/media/postImages/original/IMaGX05IK_Q3aAPYWMEpA8Ag) The guide says the CIDR in the security group rule is the CIDR which VPN clients will get IPs from. The security group uses `122....`. However the VPN configuration uses `192....`. So I changed the security group rule to match the actual VPN CIDR. Was this a mistake? Am I missing anything about how I can get the AWS DNS servers to give my private subnet IPs when connected via the VPN? My hypothesis is that when my laptop makes a request to the AWS DNS server for RDS it sees I am connecting from an external network, and not the private subnet from which the RDS endpoint IP is allocated. So it refuses to leak information and says there are no results.
1
answers
0
votes
38
views
Noah
asked a month ago

Besides the operational costs and hourly costs - why should i use AWS Timestream instead of OpenSearch? for metrics ingestions and querying

I have a use case where I ingest metrics into the system, those can be various types of metrics, and eventually tenants in the system will have dashboard to Visualize those metrics, and create reports. Users might be able to also create their own dashboards. I'm debating between Timestream and OpenSearch, both can achieve IAM fine grain permissions (per TS table / elastic index), and i know there are operational costs (storage / scaling) for ES, but I have 2 concerns about TS which i'd love to discuss: - Timestream has maximum 128 dimensions, which means to have properties on my metrics, i might need to use generic d1, d2, d3 dimensions - queries are priced per 10MB minimum - This is the BIGGEST problem: - I can't create a dashboard with different queries, because if i'll visualize 20 metrics, i'll have to pay for 200MB of scan - which you multiply by 10,000 customers, every few hours - this will be horrible - I will have to to aggregate everything into one SQL call with UNION - ``` (Select ... from table) UNION (Select ... from table) UNION (select ... from table) ``` just to reduce query costs - this sounds super weird, and hard to do if there are different columns and results in each query. - I'll need to restrict the dashboard from realtime to every few hours, to reduce querying costs in opensearch i don't have those. Your thoughts?
2
answers
0
votes
51
views
ArielB
asked a month ago