Setting up access to an Amazon S3 bucket
To import data from an Amazon S3 file, give the RDS for PostgreSQL DB instance permission to access the Amazon S3 bucket containing the file. You provide access to an Amazon S3 bucket in one of two ways, as described in the following topics.
Topics
Using an IAM role to access an Amazon S3 bucket
Before you load data from an Amazon S3 file, give your RDS for PostgreSQL DB instance permission to access the Amazon S3 bucket the file is in. This way, you don't have to manage additional credential information or provide it in the aws_s3.table_import_from_s3 function call.
To do this, create an IAM policy that provides access to the Amazon S3 bucket. Create an IAM role and attach the policy to the role. Then assign the IAM role to your DB instance.
To give an RDS for PostgreSQL DB instance access to Amazon S3 through an IAM role
-
Create an IAM policy.
This policy provides the bucket and object permissions that allow your RDS for PostgreSQL DB instance to access Amazon S3.
Include in the policy the following required actions to allow the transfer of files from an Amazon S3 bucket to Amazon RDS:
-
s3:GetObject -
s3:ListBucket
Include in the policy the following resources to identify the Amazon S3 bucket and objects in the bucket. This shows the Amazon Resource Name (ARN) format for accessing Amazon S3.
-
arn:aws:s3:::
amzn-s3-demo-bucket -
arn:aws:s3:::
amzn-s3-demo-bucket/*
For more information on creating an IAM policy for RDS for PostgreSQL, see Creating and using an IAM policy for IAM database access. See also Tutorial: Create and attach your first customer managed policy in the IAM User Guide.
The following AWS CLI command creates an IAM policy named
rds-s3-import-policywith these options. It grants access to a bucket namedamzn-s3-demo-bucket.Note
Make a note of the Amazon Resource Name (ARN) of the policy returned by this command. You need the ARN in a subsequent step when you attach the policy to an IAM role.
Example
For Linux, macOS, or Unix:
aws iam create-policy \ --policy-name rds-s3-import-policy \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "s3import", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket", "arn:aws:s3:::amzn-s3-demo-bucket/*" ] } ] }'For Windows:
aws iam create-policy ^ --policy-name rds-s3-import-policy ^ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "s3import", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket", "arn:aws:s3:::amzn-s3-demo-bucket/*" ] } ] }' -
-
Create an IAM role.
You do this so Amazon RDS can assume this IAM role to access your Amazon S3 buckets. For more information, see Creating a role to delegate permissions to an IAM user in the IAM User Guide.
We recommend using the
aws:SourceArnandaws:SourceAccountglobal condition context keys in resource-based policies to limit the service's permissions to a specific resource. This is the most effective way to protect against the confused deputy problem.If you use both global condition context keys and the
aws:SourceArnvalue contains the account ID, theaws:SourceAccountvalue and the account in theaws:SourceArnvalue must use the same account ID when used in the same policy statement.Use
aws:SourceArnif you want cross-service access for a single resource.-
Use
aws:SourceAccountif you want to allow any resource in that account to be associated with the cross-service use.
In the policy, be sure to use the
aws:SourceArnglobal condition context key with the full ARN of the resource. The following example shows how to do so using the AWS CLI command to create a role namedrds-s3-import-role.Example
For Linux, macOS, or Unix:
aws iam create-role \ --role-name rds-s3-import-role \ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "rds.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333", "aws:SourceArn": "arn:aws:rds:us-east-1:111122223333:db:dbname" } } } ] }'For Windows:
aws iam create-role ^ --role-name rds-s3-import-role ^ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "rds.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333", "aws:SourceArn": "arn:aws:rds:us-east-1:111122223333:db:dbname" } } } ] }' -
Attach the IAM policy that you created to the IAM role that you created.
The following AWS CLI command attaches the policy created in the previous step to the role named
rds-s3-import-roleReplaceyour-policy-arnExample
For Linux, macOS, or Unix:
aws iam attach-role-policy \ --policy-arnyour-policy-arn\ --role-name rds-s3-import-roleFor Windows:
aws iam attach-role-policy ^ --policy-arnyour-policy-arn^ --role-name rds-s3-import-role -
Add the IAM role to the DB instance.
You do so by using the AWS Management Console or AWS CLI, as described following.
To add an IAM role for a PostgreSQL DB instance using the console
Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/
. -
Choose the PostgreSQL DB instance name to display its details.
-
On the Connectivity & security tab, in the Manage IAM roles section, choose the role to add under Add IAM roles to this instance .
-
Under Feature, choose s3Import.
-
Choose Add role.
To add an IAM role for a PostgreSQL DB instance using the CLI
-
Use the following command to add the role to the PostgreSQL DB instance named
my-db-instance. Replaceyour-role-arns3Importfor the value of the--feature-nameoption.Example
For Linux, macOS, or Unix:
aws rds add-role-to-db-instance \ --db-instance-identifiermy-db-instance\ --feature-name s3Import \ --role-arnyour-role-arn\ --regionyour-regionFor Windows:
aws rds add-role-to-db-instance ^ --db-instance-identifiermy-db-instance^ --feature-name s3Import ^ --role-arnyour-role-arn^ --regionyour-region
To add an IAM role for a PostgreSQL DB instance using the Amazon RDS API, call the AddRoleToDBInstance operation.
Using security credentials to access an Amazon S3 bucket
If you prefer, you can use security credentials to provide access to an Amazon S3
bucket instead of providing access with an IAM role. You do so by specifying the
credentials parameter in the aws_s3.table_import_from_s3 function call.
The credentials parameter is a structure of type
aws_commons._aws_credentials_1, which contains AWS credentials. Use
the aws_commons.create_aws_credentials function
to set the access key and secret key in an
aws_commons._aws_credentials_1 structure, as shown following.
postgres=>SELECT aws_commons.create_aws_credentials( 'sample_access_key', 'sample_secret_key', '') AS creds \gset
After creating the aws_commons._aws_credentials_1 structure, use the
aws_s3.table_import_from_s3 function with the
credentials parameter to import the data, as shown
following.
postgres=>SELECT aws_s3.table_import_from_s3( 't', '', '(format csv)', :'s3_uri', :'creds' );
Or you can include the aws_commons.create_aws_credentials function
call inline within the aws_s3.table_import_from_s3 function
call.
postgres=>SELECT aws_s3.table_import_from_s3( 't', '', '(format csv)', :'s3_uri', aws_commons.create_aws_credentials('sample_access_key', 'sample_secret_key', '') );
Troubleshooting access to Amazon S3
If you encounter connection problems when attempting to import data from Amazon S3, see the following for recommendations:
-
Troubleshooting Amazon S3 in the Amazon Simple Storage Service User Guide
-
Troubleshooting Amazon S3 and IAM in the IAM User Guide
