View a markdown version of this page

Using reporting services email to send reports - Amazon Relational Database Service

Using reporting services email to send reports

SSRS and PBIRS include an email extension that you can use to send reports to users.

To configure email for SSRS, use the SSRS option settings. To configure email for PBIRS, use the PBIRS option settings. For more information, see Adding the SSRS or PBIRS option to your option group.

After configuring email, you can subscribe to reports on the report server. For more information, see Email delivery in Reporting Services in the Microsoft documentation.

Integration with AWS Secrets Manager is required for reporting services email to function on RDS. To integrate with Secrets Manager, you create a secret.

Note

If you change the secret later, you must also update the SSRS or PBIRS option in the option group.

To create a secret for reporting services email
  1. Follow the steps in Create a secret in the AWS Secrets Manager User Guide.

    1. For Select secret type, choose Other type of secrets.

    2. For Key/value pairs, enter the following:

      • SMTP_USERNAME – Enter a user with permission to send mail from the SMTP server.

      • SMTP_PASSWORD – Enter a password for the SMTP user.

    3. For Encryption key, don't use the default AWS KMS key. Use your own existing key, or create a new one.

      The KMS key policy must allow the kms:Decrypt action, for example:

      { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "Service": [ "rds.amazonaws.com" ] }, "Action": [ "kms:Decrypt" ], "Resource": "*" }
  2. Follow the steps in Attach a permissions policy to a secret in the AWS Secrets Manager User Guide. The permissions policy gives the secretsmanager:GetSecretValue action to the rds.amazonaws.com service principal.

    We recommend that you use the aws:sourceAccount and aws:sourceArn conditions in the policy to avoid the confused deputy problem. Use your AWS account for aws:sourceAccount and the option group ARN for aws:sourceArn. For more information, see Preventing cross-service confused deputy problems.

    The following example shows a permissions policy.

    JSON
    { "Version":"2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "Service" : "rds.amazonaws.com" }, "Action" : "secretsmanager:GetSecretValue", "Resource" : "*", "Condition" : { "StringEquals" : { "aws:sourceAccount" : "123456789012" }, "ArnLike" : { "aws:sourceArn" : "arn:aws:rds:us-west-2:123456789012:og:ssrs-se-2017" } } } ] }

    For more examples, see Permissions policy examples for AWS Secrets Manager in the AWS Secrets Manager User Guide.