# Setting up IAM roles to access AWS services
To permit your Aurora DB cluster to access another AWS service, do the following:
1. Create an IAM policy that grants permission to the AWS service. For more information, see the following topics.
+ [Creating an IAM policy to access Amazon S3 resources](AuroraMySQL.Integrating.Authorizing.IAM.S3CreatePolicy.md)
+ [Creating an IAM policy to access AWS Lambda resources](AuroraMySQL.Integrating.Authorizing.IAM.LambdaCreatePolicy.md)
+ [Creating an IAM policy to access CloudWatch Logs resources](AuroraMySQL.Integrating.Authorizing.IAM.CWCreatePolicy.md)
+ [Creating an IAM policy to access AWS KMS resources](AuroraMySQL.Integrating.Authorizing.IAM.KMSCreatePolicy.md)
1. Create an IAM role and attach the policy that you created. For more information, see [Creating an IAM role to allow Amazon Aurora to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md).
1. Associate that IAM role with your Aurora DB cluster. For more information, see [Associating an IAM role with an Amazon Aurora MySQL DB cluster](AuroraMySQL.Integrating.Authorizing.IAM.AddRoleToDBCluster.md).
# Creating an IAM policy to access Amazon S3 resources
Aurora can access Amazon S3 resources to either load data to or save data from an Aurora DB cluster. However, you must first create an IAM policy that provides the bucket and object permissions that allow Aurora to access Amazon S3.
The following table lists the Aurora features that can access an Amazon S3 bucket on your behalf, and the minimum required bucket and object permissions required by each feature.
| Feature | Bucket permissions | Object permissions |
| --- | --- | --- |
| `LOAD DATA FROM S3` | `ListBucket` | `GetObject` `GetObjectVersion` |
| LOAD XML FROM S3 | `ListBucket` | `GetObject` `GetObjectVersion` |
| `SELECT INTO OUTFILE S3` | `ListBucket` | `AbortMultipartUpload` `DeleteObject` `GetObject` `ListMultipartUploadParts` `PutObject` |
The following policy adds the permissions that might be required by Aurora to access an Amazon S3 bucket on your behalf.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAuroraToExampleBucket",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:s3:::amzn-s3-demo-bucket"
]
}
]
}
```
------
**Note**
Make sure to include both entries for the `Resource` value. Aurora needs the permissions on both the bucket itself and all the objects inside the bucket.
Based on your use case, you might not need to add all of the permissions in the sample policy. Also, other permissions might be required. For example, if your Amazon S3 bucket is encrypted, you need to add `kms:Decrypt` permissions.
You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to access an Amazon S3 bucket on your behalf. To allow Aurora to access all of your Amazon S3 buckets, you can skip these steps and use either the `AmazonS3ReadOnlyAccess` or `AmazonS3FullAccess` predefined IAM policy instead of creating your own.
**To create an IAM policy to grant access to your Amazon S3 resources**
1. Open the [IAM Management Console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. On the **Visual editor** tab, choose **Choose a service**, and then choose **S3**.
1. For **Actions**, choose **Expand all**, and then choose the bucket permissions and object permissions needed for the IAM policy.
Object permissions are permissions for object operations in Amazon S3, and need to be granted for objects in a bucket, not the bucket itself. For more information about permissions for object operations in Amazon S3, see [Permissions for object operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-objects).
1. Choose **Resources**, and choose **Add ARN** for **bucket**.
1. In the **Add ARN(s)** dialog box, provide the details about your resource, and choose **Add**.
Specify the Amazon S3 bucket to allow access to. For instance, if you want to allow Aurora to access the Amazon S3 bucket named *amzn-s3-demo-bucket*, then set the Amazon Resource Name (ARN) value to `arn:aws:s3:::amzn-s3-demo-bucket`.
1. If the **object** resource is listed, choose **Add ARN** for **object**.
1. In the **Add ARN(s)** dialog box, provide the details about your resource.
For the Amazon S3 bucket, specify the Amazon S3 bucket to allow access to. For the object, you can choose **Any** to grant permissions to any object in the bucket.
**Note**
You can set **Amazon Resource Name (ARN)** to a more specific ARN value in order to allow Aurora to access only specific files or folders in an Amazon S3 bucket. For more information about how to define an access policy for Amazon S3, see [Managing access permissions to your Amazon S3 resources](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html).
1. (Optional) Choose **Add ARN** for **bucket** to add another Amazon S3 bucket to the policy, and repeat the previous steps for the bucket.
**Note**
You can repeat this to add corresponding bucket permission statements to your policy for each Amazon S3 bucket that you want Aurora to access. Optionally, you can also grant access to all buckets and objects in Amazon S3.
1. Choose **Review policy**.
1. For **Name**, enter a name for your IAM policy, for example `AllowAuroraToExampleBucket`. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional **Description** value.
1. Choose **Create policy**.
1. Complete the steps in [Creating an IAM role to allow Amazon Aurora to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md).
# Creating an IAM policy to access AWS Lambda resources
You can create an IAM policy that provides the minimum required permissions for Aurora to invoke an AWS Lambda function on your behalf.
The following policy adds the permissions required by Aurora to invoke an AWS Lambda function on your behalf.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAuroraToExampleFunction",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:example_function"
}
]
}
```
------
You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to invoke an AWS Lambda function on your behalf. To allow Aurora to invoke all of your AWS Lambda functions, you can skip these steps and use the predefined `AWSLambdaRole` policy instead of creating your own.
**To create an IAM policy to grant invoke to your AWS Lambda functions**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. On the **Visual editor** tab, choose **Choose a service**, and then choose **Lambda**.
1. For **Actions**, choose **Expand all**, and then choose the AWS Lambda permissions needed for the IAM policy.
Ensure that `InvokeFunction` is selected. It is the minimum required permission to enable Amazon Aurora to invoke an AWS Lambda function.
1. Choose **Resources** and choose **Add ARN** for **function**.
1. In the **Add ARN(s)** dialog box, provide the details about your resource.
Specify the Lambda function to allow access to. For instance, if you want to allow Aurora to access a Lambda function named `example_function`, then set the ARN value to `arn:aws:lambda:::function:example_function`.
For more information on how to define an access policy for AWS Lambda, see [Authentication and access control for AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/lambda-auth-and-access-control.html).
1. Optionally, choose **Add additional permissions** to add another AWS Lambda function to the policy, and repeat the previous steps for the function.
**Note**
You can repeat this to add corresponding function permission statements to your policy for each AWS Lambda function that you want Aurora to access.
1. Choose **Review policy**.
1. Set **Name** to a name for your IAM policy, for example `AllowAuroraToExampleFunction`. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional **Description** value.
1. Choose **Create policy**.
1. Complete the steps in [Creating an IAM role to allow Amazon Aurora to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md).
# Creating an IAM policy to access CloudWatch Logs resources
Aurora can access CloudWatch Logs to export audit log data from an Aurora DB cluster. However, you must first create an IAM policy that provides the log group and log stream permissions that allow Aurora to access CloudWatch Logs.
The following policy adds the permissions required by Aurora to access Amazon CloudWatch Logs on your behalf, and the minimum required permissions to create log groups and export data.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EnableCreationAndManagementOfRDSCloudwatchLogEvents",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*"
},
{
"Sid": "EnableCreationAndManagementOfRDSCloudwatchLogGroupsAndStreams",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutRetentionPolicy",
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/rds/*"
}
]
}
```
------
You can modify the ARNs in the policy to restrict access to a specific AWS Region and account.
You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to access CloudWatch Logs on your behalf. To allow Aurora full access to CloudWatch Logs, you can skip these steps and use the `CloudWatchLogsFullAccess` predefined IAM policy instead of creating your own. For more information, see [Using identity-based policies (IAM policies) for CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-identity-based-access-control-cwl.html#managed-policies-cwl) in the* Amazon CloudWatch User Guide.*
**To create an IAM policy to grant access to your CloudWatch Logs resources**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. On the **Visual editor** tab, choose **Choose a service**, and then choose **CloudWatch Logs**.
1. For **Actions**, choose **Expand all** (on the right), and then choose the Amazon CloudWatch Logs permissions needed for the IAM policy.
Ensure that the following permissions are selected:
+ `CreateLogGroup`
+ `CreateLogStream`
+ `DescribeLogStreams`
+ `GetLogEvents`
+ `PutLogEvents`
+ `PutRetentionPolicy`
1. Choose **Resources** and choose **Add ARN** for **log-group**.
1. In the **Add ARN(s)** dialog box, enter the following values:
+ **Region** – An AWS Region or `*`
+ **Account** – An account number or `*`
+ **Log Group Name** – `/aws/rds/*`
1. In the **Add ARN(s)** dialog box, choose **Add**.
1. Choose **Add ARN** for **log-stream**.
1. In the **Add ARN(s)** dialog box, enter the following values:
+ **Region** – An AWS Region or `*`
+ **Account** – An account number or `*`
+ **Log Group Name** – `/aws/rds/*`
+ **Log Stream Name** – `*`
1. In the **Add ARN(s)** dialog box, choose **Add**.
1. Choose **Review policy**.
1. Set **Name** to a name for your IAM policy, for example `AmazonRDSCloudWatchLogs`. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional **Description** value.
1. Choose **Create policy**.
1. Complete the steps in [Creating an IAM role to allow Amazon Aurora to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md).
# Creating an IAM policy to access AWS KMS resources
Aurora can access the AWS KMS keys used for encrypting their database backups. However, you must first create an IAM policy that provides the permissions that allow Aurora to access KMS keys.
The following policy adds the permissions required by Aurora to access KMS keys on your behalf.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAuroraToAccessKey",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/key-ID"
}
]
}
```
------
You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to access KMS keys on your behalf.
**To create an IAM policy to grant access to your KMS keys**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. On the **Visual editor** tab, choose **Choose a service**, and then choose **KMS**.
1. For **Actions**, choose **Write**, and then choose **Decrypt**.
1. Choose **Resources**, and choose **Add ARN**.
1. In the **Add ARN(s)** dialog box, enter the following values:
+ **Region** – Type the AWS Region, such as `us-west-2`.
+ **Account** – Type the user account number.
+ **Log Stream Name** – Type the KMS key identifier.
1. In the **Add ARN(s)** dialog box, choose **Add**.
1. Choose **Review policy**.
1. Set **Name** to a name for your IAM policy, for example `AmazonRDSKMSKey`. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional **Description** value.
1. Choose **Create policy**.
1. Complete the steps in [Creating an IAM role to allow Amazon Aurora to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md).
# Creating an IAM role to allow Amazon Aurora to access AWS services
After creating an IAM policy to allow Aurora to access AWS resources, you must create an IAM role and attach the IAM policy to the new IAM role.
To create an IAM role to permit your Amazon RDS cluster to communicate with other AWS services on your behalf, take the following steps.
**To create an IAM role to allow Amazon RDS to access AWS services**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Roles**.
1. Choose **Create role**.
1. Under **AWS service**, choose **RDS**.
1. Under **Select your use case**, choose **RDS – Add Role to Database**.
1. Choose **Next**.
1. On the **Permissions policies** page, enter the name of your policy in the **Search** field.
1. When it appears in the list, select the policy that you defined earlier using the instructions in one of the following sections:
+ [Creating an IAM policy to access Amazon S3 resources](AuroraMySQL.Integrating.Authorizing.IAM.S3CreatePolicy.md)
+ [Creating an IAM policy to access AWS Lambda resources](AuroraMySQL.Integrating.Authorizing.IAM.LambdaCreatePolicy.md)
+ [Creating an IAM policy to access CloudWatch Logs resources](AuroraMySQL.Integrating.Authorizing.IAM.CWCreatePolicy.md)
+ [Creating an IAM policy to access AWS KMS resources](AuroraMySQL.Integrating.Authorizing.IAM.KMSCreatePolicy.md)
1. Choose **Next**.
1. In **Role name**, enter a name for your IAM role, for example `RDSLoadFromS3`. You can also add an optional **Description** value.
1. Choose **Create Role**.
1. Complete the steps in [Associating an IAM role with an Amazon Aurora MySQL DB cluster](AuroraMySQL.Integrating.Authorizing.IAM.AddRoleToDBCluster.md).
# Associating an IAM role with an Amazon Aurora MySQL DB cluster
To permit database users in an Amazon Aurora DB cluster to access other AWS services, you associate the IAM role that you created in [Creating an IAM role to allow Amazon Aurora to access AWS services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md) with that DB cluster. You can also have AWS create a new IAM role by associating the service directly.
To associate an IAM role with a DB cluster you do two things:
1. Add the role to the list of associated roles for a DB cluster by using the RDS console, the [add-role-to-db-cluster](https://docs.aws.amazon.com/cli/latest/reference/rds/add-role-to-db-cluster.html) AWS CLI command, or the [AddRoleToDBCluster](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_AddRoleToDBCluster.html) RDS API operation.
You can add a maximum of five IAM roles for each Aurora DB cluster.
1. Set the cluster-level parameter for the related AWS service to the ARN for the associated IAM role.
The following table describes the cluster-level parameter names for the IAM roles used to access other AWS services.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Authorizing.IAM.AddRoleToDBCluster.html)
To associate an IAM role to permit your Amazon RDS cluster to communicate with other AWS services on your behalf, take the following steps.
## Console
**To associate an IAM role with an Aurora DB cluster using the console**
1. Open the RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).
1. Choose **Databases**.
1. Choose the name of the Aurora DB cluster that you want to associate an IAM role with to show its details.
1. On the **Connectivity & security** tab, in the **Manage IAM roles** section, do one of the following:
+ **Select IAM roles to add to this cluster** (default)
+ **Select a service to connect to this cluster**
![\[Associate an IAM role with a DB cluster\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/AuroraAssociateIAMRole-02.png)
1. To use an existing IAM role, choose it from the menu, then choose **Add role**.
If adding the role is successful, its status shows as `Pending`, then `Available`.
1. To connect a service directly:
1. Choose **Select a service to connect to this cluster**.
1. Choose the service from the menu, then choose **Connect service**.
1. For **Connect cluster to *Service Name***, enter the Amazon Resource Name (ARN) to use to connect to the service, then choose **Connect service**.
AWS creates a new IAM role for connecting to the service. Its status shows as `Pending`, then `Available`.
1. (Optional) To stop associating an IAM role with a DB cluster and remove the related permission, choose the role and then choose **Delete**.
**To set the cluster-level parameter for the associated IAM role**
1. In the RDS console, choose **Parameter groups** in the navigation pane.
1. If you are already using a custom DB parameter group, you can select that group to use instead of creating a new DB cluster parameter group. If you are using the default DB cluster parameter group, create a new DB cluster parameter group, as described in the following steps:
1. Choose **Create parameter group**.
1. For **Parameter group family**, choose `aurora-mysql8.0` for an Aurora MySQL 8.0-compatible DB cluster, or `aurora-mysql5.7` for an Aurora MySQL 5.7-compatible DB cluster.
1. For **Type**, choose **DB Cluster Parameter Group**.
1. For **Group name**, type the name of your new DB cluster parameter group.
1. For **Description**, type a description for your new DB cluster parameter group.
![\[Create a DB cluster parameter group\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/AuroraAssociateIAMRole-03.png)
1. Choose **Create**.
1. On the **Parameter groups** page, select your DB cluster parameter group and choose **Edit** for **Parameter group actions**.
1. Set the appropriate cluster-level [parameters](#aurora_cluster_params_iam_roles) to the related IAM role ARN values.
For example, you can set just the `aws_default_s3_role` parameter to `arn:aws:iam::123456789012:role/AllowS3Access`.
1. Choose **Save changes**.
1. To change the DB cluster parameter group for your DB cluster, complete the following steps:
1. Choose **Databases**, and then choose your Aurora DB cluster.
1. Choose **Modify**.
1. Scroll to **Database options** and set **DB cluster parameter group** to the DB cluster parameter group.
1. Choose **Continue**.
1. Verify your changes and then choose **Apply immediately**.
1. Choose **Modify cluster**.
1. Choose **Databases**, and then choose the primary instance for your DB cluster.
1. For **Actions**, choose **Reboot**.
When the instance has rebooted, your IAM role is associated with your DB cluster.
For more information about cluster parameter groups, see [Aurora MySQL configuration parameters](AuroraMySQL.Reference.ParameterGroups.md).
## CLI
**To associate an IAM role with a DB cluster by using the AWS CLI**
1. Call the `add-role-to-db-cluster` command from the AWS CLI to add the ARNs for your IAM roles to the DB cluster, as shown following.
```
PROMPT> aws rds add-role-to-db-cluster --db-cluster-identifier my-cluster --role-arn arn:aws:iam::123456789012:role/AllowAuroraS3Role
PROMPT> aws rds add-role-to-db-cluster --db-cluster-identifier my-cluster --role-arn arn:aws:iam::123456789012:role/AllowAuroraLambdaRole
```
1. If you are using the default DB cluster parameter group, create a new DB cluster parameter group. If you are already using a custom DB parameter group, you can use that group instead of creating a new DB cluster parameter group.
To create a new DB cluster parameter group, call the `create-db-cluster-parameter-group` command from the AWS CLI, as shown following.
```
PROMPT> aws rds create-db-cluster-parameter-group --db-cluster-parameter-group-name AllowAWSAccess \
--db-parameter-group-family aurora5.7 --description "Allow access to Amazon S3 and AWS Lambda"
```
For an Aurora MySQL 5.7-compatible DB cluster, specify `aurora-mysql5.7` for `--db-parameter-group-family`. For an Aurora MySQL 8.0-compatible DB cluster, specify `aurora-mysql8.0` for `--db-parameter-group-family`.
1. Set the appropriate cluster-level parameter or parameters and the related IAM role ARN values in your DB cluster parameter group, as shown following.
```
PROMPT> aws rds modify-db-cluster-parameter-group --db-cluster-parameter-group-name AllowAWSAccess \
--parameters "ParameterName=aws_default_s3_role,ParameterValue=arn:aws:iam::123456789012:role/AllowAuroraS3Role,method=pending-reboot" \
--parameters "ParameterName=aws_default_lambda_role,ParameterValue=arn:aws:iam::123456789012:role/AllowAuroraLambdaRole,method=pending-reboot"
```
1. Modify the DB cluster to use the new DB cluster parameter group and then reboot the cluster, as shown following.
```
PROMPT> aws rds modify-db-cluster --db-cluster-identifier my-cluster --db-cluster-parameter-group-name AllowAWSAccess
PROMPT> aws rds reboot-db-instance --db-instance-identifier my-cluster-primary
```
When the instance has rebooted, your IAM roles are associated with your DB cluster.
For more information about cluster parameter groups, see [Aurora MySQL configuration parameters](AuroraMySQL.Reference.ParameterGroups.md).