AWS App Studio is in preview and is subject to change.
Connect to Amazon Aurora
To connect App Studio with Aurora to enable builders to access and use Aurora resources in applications, you must perform the following steps:
Create and configure Aurora resources
To use Aurora databases with App Studio, you must first them and configure them appropriately. There are two Aurora database types supported by App Studio: Aurora PostgreSQL and Aurora MySQL. To compare the types, see
What's the difference between MySQL and PostgreSQL?
Create an IAM policy and role to give App Studio access to Aurora resources
To use Aurora resources with App Studio, administrators must create an IAM policy and attach it to an IAM role to give App Studio permissions to access the resources. The IAM policy and role control the scope of data that builders can use and what operations can be called against that data, such as Create, Read, Update, or Delete.
We recommend creating at least one IAM role per service and policy.
To create an IAM policy with appropriate permissions
-
Sign in to the IAM console
with a user that has permissions to create IAM roles. We recommend using the administrative user created in Create an administrative user for managing AWS resources. -
In the navigation pane of the console, choose Policies and then choose Create policy.
-
In the Policy editor, choose JSON.
-
Replace the existing snippet with the following snippet, replacing
111122223333
with the AWS account number in which the Amazon Redshift and Aurora resources are contained.{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "rds-data:ExecuteStatement", "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:rds:*:
111122223333
:cluster:*", "arn:aws:secretsmanager:*:111122223333
:secret:rds*" ] } ] } Choose Next.
Provide a policy name, such as
Aurora_AppStudio
.Choose Create policy.
To create an IAM role to give App Studio access to Aurora resources
-
Sign in to the IAM console
with a user that has permissions to create IAM roles. We recommend using the administrative user created in Create an administrative user for managing AWS resources. -
In the navigation pane of the console, choose Roles and then choose Create role.
-
In Trusted entity type, choose Custom trust policy.
-
Replace the default policy with the following policy to allow App Studio applications to assume this role in your account.
You must replace
111122223333
with the AWS account number of the account used to set up the App Studio instance.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
111122223333
:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:PrincipalTag/IsAppStudioAccessRole": "true" } } } ] }Choose Next.
-
In Add permissions, search and select the policy you created earlier (
Aurora_AppStudio
).For more information about using IAM policies with Aurora, including a list of managed policies and their descriptions, see Identity and Access Management for Amazon Aurora in the AWS Lambda Developer Guide.
Choose Next.
-
In Role details, provide a name and description.
In Step 3: Add tags, choose Add new tag to add the following tag to provide App Studio access:
Key:
IsAppStudioDataAccessRole
Value:
true
-
Choose Create role and make note of the generated Amazon Resource Name (ARN), you will need it when creating the Aurora connector in App Studio.
Create Aurora connector in App Studio
To create a connector for Aurora
-
Navigate to App Studio.
-
In the left-side navigation pane, choose Connectors in the Manage section. You will be taken to a page displaying a list of existing connectors with some details about each.
-
Choose + Create connector.
-
Choose the Amazon Aurora connector.
-
Configure your connector by filling out the following fields:
Name: Enter a name for your Aurora connector.
Description: Enter a description for your Aurora connector.
IAM role: Enter the Amazon Resource Name (ARN) from the IAM role created in Create an IAM policy and role to give App Studio access to Aurora resources. For more information about IAM, see the IAM User Guide.
Secret ARN: Enter the secret ARN of the database cluster. For information about where to find the secret ARN, see Viewing the details about a secret for a DB cluser in the Amazon Aurora User Guide.
Region: Choose the AWS Region where your Aurora resources are located.
Database ARN: Enter the ARN of the database cluster. The ARN can be found in the Configuration tab of the database cluster, similar to the secret ARN.
Database type: Choose the database type, MySQL or PostgreSQL, that matches the type of database created in Create and configure Aurora resources.
Database name: Enter the name of the database, which can also be found in the Configuration tab of the database cluster.
Available tables: Select the tables you want to use with App Studio using this connector.
-
Choose Next to review or define the entity mappings.
-
Choose Create to create the Aurora connector. The newly created connector will appear in the Connectors list.
Required IAM permissions for Aurora
The following table contains the minimum permissions that an IAM role must contain to use Aurora resources with App Studio. For more information about creating customer managed policies and attaching them an IAM role, see Create IAM policies (console).
Access type | Required permissions |
---|---|
Full access (Create, read, update, delete) |
|