Setting up AWS Identity and Access Management (IAM) policies for RDS Proxy
After you create the secrets in Secrets Manager, you create an IAM policy that can access those secrets. For general information about using IAM, see Identity and access management for Amazon RDS.
Tip
The following procedure applies if you use the IAM console. If you use the AWS Management Console for RDS, RDS can create the IAM policy for you automatically. In that case, you can skip the following procedure.
To create an IAM policy that accesses your Secrets Manager secrets for use with your proxy
-
Sign in to the IAM console. For the new role, update the permissions policy. Use the same general procedures as in Editing IAM policies. Paste the following JSON into the JSON text box. Substitute your own account ID. Substitute your AWS Region for
us-east-2
. Substitute the Amazon Resource Names (ARNs) for the secrets that you created, see Specifying KMS keys in IAM policy statements. For thekms:Decrypt
action, substitute the ARN of the default AWS KMS key or your own KMS key. Which one you use depends on which one you used to encrypt the Secrets Manager secrets.{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": [ "arn:aws:secretsmanager:us-east-2:
account_id
:secret:secret_name_1
", "arn:aws:secretsmanager:us-east-2:account_id
:secret:secret_name_2
" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-2:account_id
:key/key_id
", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-2.amazonaws.com" } } } ] } -
Follow the Create role process, as described in Creating IAM roles, choosing Creating a role to delegate permissions to an AWS service.
Choose AWS service for the Trusted entity type. Under Use case, select RDS from Use cases for other AWS services dropdown. Select RDS - Add Role to Database.
-
Edit the trust policy for this IAM role. Paste the following JSON into the JSON text box.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "rds.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
The following commands perform the same operation through the AWS CLI.
PREFIX=
my_identifier
USER_ARN=$(aws sts get-caller-identity --query "Arn" --output text) aws iam create-role --role-namemy_role_name
\ --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["rds.amazonaws.com"]},"Action":"sts:AssumeRole"}]}' ROLE_ARN=arn:aws:iam::account_id
:role/my_role_name
aws iam put-role-policy --role-name my_role_name \ --policy-name $PREFIX-secret-reader-policy --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": [ "arn:aws:secretsmanager:us-east-2:account_id
:secret:secret_name_1
", "arn:aws:secretsmanager:us-east-2:account_id
:secret:secret_name_2
" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-2:account_id
:key/key_id
", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-2.amazonaws.com" } } } ] }