Questions tagged with Amazon Relational Database Service

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Multi-AZ DB Cluster Parameter Group Updating Not Working

**Note: Aurora Clusters are not the same as Multi-AZ DB Clusters. In my situation I am not using Aurora.** I have been having no success trying the change my Multi-AZ DB Cluster parameter group in the region N. Virginia, so I decided to give it a try in the Ohio region. What I noticed is a difference in the UI for inspecting a writer/reader node in the cluster. **Virginia Region:** ![Shows writer node with default parameter group](/media/postImages/original/IMPYG6M9PoR0GiWOLavo39OQ) **Ohio Region:** ![Shows writer node without displaying parameter group](/media/postImages/original/IMYvSfIMA5RmyB0gJKP9C95w) This difference in UI between the regions is strange and I feel it may be some sort of bug. With Multi-AZ DB Clusters the writer/reader nodes are supposed to get their parameter group configuration from the "cluster" and so not showing it in the Ohio version makes sense because it's based on the cluster. The Virginia version is showing the writer/reader parameter group as if it IS the cluster node (by displaying way more information than the Ohio region version). This doesn't make sense and even when I do change the cluster's parameter group when modifying the cluster itself, the writer/reader nodes DO NOT change their parameter group. They stay the same using the default: default:mysql-8-0. Even creating the cluster with a custom parameter group from the very beginning, the writer/reader nodes do no accept it, they keep: default:mysql-8-0. This is very confusing and not in-line with what the documentation describes when dealing with this functionality.
1
answers
0
votes
11
views
asked a month ago

Can RDS Proxy support RLS patterns, with many sets of DB credentials dynamically added? Are there alternatives to this pattern for multi-tenant setups / SaaS architectures?

_tl;dr;_ I want to create a separate DB user account for each tenant in a SaaS, to support multi-tenant setup for PostgreSQL db using Row Level Security (RLS). It seems this isn't possible or practical with RDS Proxy because the SDK doesn't allow for easy management of secrets / credentials associated with RDS Proxy. What am I missing? How can I achieve a multi-tenant RLS setup with RDS Proxy and PostgreSQL RLS? I'm trying to create a SaaS with a multi-tenant DB setup. RDS Aurora Postgres. **Each tenant in the database === a DB account** (see: https://aws.amazon.com/blogs/database/multi-tenant-data-isolation-with-postgresql-row-level-security/). This was going fairly well when I was in the PoC stage, because I ignorantly put off storing DB secrets in secret manager and just had a few sample accounts setup to test things out. That said, I've recently realized that with RDS Proxy you need to actually add each database credential to the proxy in order to be able to use that credential through the proxy... and that's not something that happens instantly, it can take an unknown amount of time for RDS Proxy to be updated, and frankly I'm not sure how well this would scale adding potentially hundreds or even thousands of credentials to RDS Proxy. I had hoped / thought _maybe_ that using the "IAM Authentication" would solve the issue, but although it doesn't seem super well documented / clear (at least not through the AWS console), I _think_ IAM Authentication doesn't do anything for us unless we're using SQL server: > IAM Authentication. Choose whether to require, allow, or disallow IAM authentication for connections to your proxy. **The allow option is only valid for proxies for RDS for SQL Server**. The choice of IAM authentication or native database authentication applies to all DB users that access this proxy. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-setup.html If I'm misunderstanding something here I'd love to know, and would really appreciate any advice. I feel like I'm fighting a loosing battle with my current approach and would love to know if there is something I'm missing that would salvage things! If not, then I'm left either 1. Figure out how to programmatically add secrets / users to the DB Proxy - I think https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-rds/interfaces/modifydbproxyrequest.html#auth is perhaps _a_ mechanism I could use, but again it doesn't feel like it was really built for this - each time a user registered, it looks like I'd have to basically update the entire proxy, I can't "just" add a single user. 2. Switch away from the "each user in the SaaS has a separate DB user" approach to something else, essentially putting the onus of security back on the application layer (which was my entire goal of using RLS originally). 3. ?? Note that [the AWS documentation on RDS Proxy and adding database users](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-managing.html#rds-proxy-new-db-user) of course says that you can certain add DB users, this I know, **the issue is adding users at scale, dynamically, via the SDK** - it just doesn't feel like RDS Proxy is designed for this (for understandable reasons I might add, I realize there is probably a fair amount of complexity hidden in RDS Proxy).
0
answers
0
votes
15
views
asked a month ago