aws-cdk: (aws-rds): grantConnect for IAM authentication provides invalid permissions (surface DbiResourceId)
DatabaseInstance has a method grantConnect for granting connect access to instance using IAM based authentication.
However, the db resource ARN in the produced IAM policy is incorrect and doesn’t work. Based on the documentation The format for the resource in the IAM policy should be: arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name
The actual resource produced by grantConnect is having format: arn:aws:rds:region:account-id:db:DBInstanceId. Also, the function doesn’t provide any parameter to define the db username to be used in the policy.
Reproduction Steps
import { Stack, Construct, StackProps } from '@aws-cdk/core';
import {
DatabaseInstance,
DatabaseInstanceEngine,
PostgresEngineVersion,
Credentials,
} from '@aws-cdk/aws-rds';
import { IVpc } from '@aws-cdk/aws-ec2';
import { User } from '@aws-cdk/aws-iam';
export interface MyStackProps extends StackProps {
vpc: IVpc;
}
export class MyStack extends Stack {
constructor(scope: Construct, id: string, props: MyStackProps) {
super(scope, id, props);
const db = new DatabaseInstance(this, 'Instance', {
engine: DatabaseInstanceEngine.postgres({ version: PostgresEngineVersion.VER_12_4 }),
credentials: Credentials.fromGeneratedSecret('testuser'),
vpc: props.vpc,
port: 5432,
iamAuthentication: true,
});
const user = new User(this, 'TestUser', {
userName: 'testuser',
});
db.grantConnect(user);
}
}
What did you expect to happen?
To create a IAM policy where the resource ARN would be according to the documentation i.e. arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name
What actually happened?
Instead of the correct policy, the generated template contains following definition:
{
"Action": "rds-db:connect",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":rds:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":db:",
{
"Ref": "InstanceC1063A87"
}
]
]
}
}
In addition that the format of the ARN is incorrect, also wrong DB identifier is used. The template uses the DB Instance id but the correct identifier is the DB Resource id.
Environment
- CDK CLI Version : 1.75.0
- Framework Version: 1.75.0
- Node.js Version: 12.18.3
- OS : OSx
- Language (Version): Typescript 4.1.2
Other
The support for the grantConnect was requested in this issue and added in this PR.
A comment in the original issue still stands i.e. that the DB Resource Id is not accessible in Cloudformation.
This is 🐛 Bug Report
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 28
- Comments: 30 (18 by maintainers)
Commits related to this issue
- docs(aws-rds): Specify that `grantConnect()` does not work (#19290) Add notes in the docs that `grantConnect()` does not work currently. Reference: https://github.com/aws/aws-cdk/issues/11851 ---- ... — committed to aws/aws-cdk by gshpychka 2 years ago
- docs(aws-rds): Specify that `grantConnect()` does not work (#19290) Add notes in the docs that `grantConnect()` does not work currently. Reference: https://github.com/aws/aws-cdk/issues/11851 ---- ... — committed to TheRealAmazonKendra/aws-cdk by gshpychka 2 years ago
- fix(rds): Correct ARN in IAM policy for IAM database access (#25141) The [IAM policy for IAM database access](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.h... — committed to aws/aws-cdk by akash1810 a year ago
- fix: Custom resource to acquire rds resource id RDS resource id is needed to allow iam login. This value can't be called directly due to a known AWS bug. A suggested workaround is to call custom reso... — committed to linz/bde-fdw-rds by Jimlinz a year ago
- fix: Custom resource to acquire rds resource id RDS resource id is needed to allow iam login. This value can't be called directly due to a known AWS bug. A suggested workaround is to call custom reso... — committed to linz/bde-fdw-rds by Jimlinz a year ago
- Create rds iam user (#51) * chore: Minor tidy ups - Added security group in context. These are automatically generated during cdk synth or cdk deploy and will generally speed things up. - Rename rds... — committed to linz/bde-fdw-rds by Jimlinz a year ago
I see this is closed has it been fixed? if so should update the docs here: grantConnect
Is it possible for the CDK team to raise this with the CF team? I mean this is really broken.
Just run into this problem, and this is very broken. Until this issue is fixed upstream in CFN it would be nice to update the documentation to reflect that the
grantConnect()method is utterly broken and cannot be used, just to save future travelers some time debugging this.Thanks to @jdvornek for the solution provided. In our case we needed to tweak it a little to make it work as we were not using Aurora clusters and the API response was slightly larger than 4k.
Note the addition of
outputPathto limit the amount of data returned. In our case, if this was omitted, CFN update would fail and roll back a crypticResponse object is too long.error message.This works for an Aurora cluster, I believe. Obviously it needs to be extended for instances, etc, but maybe this will get someone unblocked and it seems easy enough to swap out once a proper fix is available.
That yields
@cloventt The docs for
AwsCustomResourcesay thatonCreatewill callonUpdateby default. So probably you only need to specifyonUpdate. https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_custom-resources.AwsCustomResourceProps.html#oncreateSo it looks like skinny85 doesn’t work for Amazon any more, who would be the person to give an update on this particular issue?