Access to Amazon Relational Database Service (RDS)
This example shows you how to make an AWS RDS instance available for border0 users.
AWS. Border0 supports two types of authentication methods that can be used with RDS.
-
Password authentication
With password authentication, your database performs all administration of user accounts. You create users with SQL statements such as CREATE USER, with the appropriate clause required by the DB engine for specifying passwords. -
IAM Authentication
You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MySQL and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.
To make the socket available, you need to run the border0 socket connect or border0 Connector on a host with access to the database. For example, an ec2 instance or any host if the RDS database is configured to be publicly accessible.
Password Authentication
Create a new database socket
$ border0 socket create --name rdstest --type database --upstream_type mysql
┌──────────────────────────────────────┬─────────┬──────────────────────┬─────────┬──────────┬─────────────┐
│ SOCKET ID │ NAME │ DNS NAME │ PORT(S) │ TYPE │ DESCRIPTION │
├──────────────────────────────────────┼─────────┼──────────────────────┼─────────┼──────────┼─────────────┤
│ 1c2aa2b8-c3a5-4514-a285-cd84f3c69b6f │ rdstest │ rdstest.e.border0.io │ 31352 │ database │ │
└──────────────────────────────────────┴─────────┴──────────────────────┴─────────┴──────────┴─────────────┘
Policies:
┌───────────────┬────────────────────────────┬───────────────────┐
│ POLICY NAME │ POLICY DESCRIPTION │ ORGANIZATION WIDE │
├───────────────┼────────────────────────────┼───────────────────┤
│ allow-border0 │ │ Yes │
│ allow-btt │ Allow btt tests to connect │ Yes │
└───────────────┴────────────────────────────┴───────────────────┘
And connect the socket using the database username/password:
$ border0 socket connect rdstest \
--host mysqltest.cluster-abcdefg01.eu-central-1.rds.amazonaws.com \
--port 3306 \
--upstream_username admin \
--upstream_password mysqltest \
--upstream_ca_filename global-bundle.pem
Welcome to Border0.com
rdstest - database://rdstest.e.border0.io
=======================================================
Logs
=======================================================
In this example we also added the optional upstream_ca_filename flag with the file that has the root certificate for this database it will verify the database certificate. You can download this file at https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
You can now connect to this database:
$ border0 client db:mysql --host rdstest.e.border0.io
? what is the name of the database schema: mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 47400
Server version: 8.1.0 MysocketSQL MySQL Community Server (GPL)
Copyright (c) 2000, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
IAM Authentication
To make use of IAM authentication you first need to enable this feature for the RDS database, see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html
And make sure the identify you want to use has permissions to access the database, see: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
First you need to create the IAM users in the database, see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html
In this example we will use the identity of user Border0ConnectorUser.
MySQL> CREATE USER Border0ConnectorUser IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
Ance we have our new user we can give it some priviledges:
MySQL> GRANT ALL ON MyAwesomeDatabase TO 'Border0ConnectorUser'@'%';
MySQL> FLUSH PRIVILEGES;
In this example we will is the same socket, and connect it with border0:
$ border0 socket connect rdstest \
--host mysqltest.cluster-abcdefg0123.eu-central-1.rds.amazonaws.com \
--port 3306 \
--upstream_username Border0ConnectorUser \
--aws-region eu-central-1 \
--rds-with-iam \
--upstream_ca_filename global-bundle.pem
Welcome to Border0.com
rdstest - database://rdstest.e.border0.io
=======================================================
Logs
=======================================================
The border0 CLI will try to get the AWS credentials from the well known files and/or environment variables.
But you can also specify them by using the AWS environments variables like:
- AWS_PROFILE
- AWS_REGION
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
Should your environment utilize roles and policies, below is a simple policy you can attach to your instance role (from AWS docs just above)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": [
"arn:aws:rds-db:*:123456789012:dbuser:*/Border0ConnectorUser"
]
}
]
}
Border0 Connector
The above examples are also available in the border0 connector.
For example, a static socket using IAM authentication:
connector:
name: "my-rds-connector"
credentials:
token: YOURTOKENGOESHERE
sockets:
- rds-mysql:
port: 3306
type: database
host: mysqltest.cluster-abcdefg0123.eu-central-1.rds.amazonaws.com
upstream_type: mysql
upstream_user: Border0ConnectorUser
rds_iam_auth: true
aws_region: eu-central-1
With username and password:
connector:
name: "my-rds-connector"
credentials:
token: YOURTOKENGOESHERE
sockets:
- rds-postgres:
port: 5432
type: database
host: postgrestest.cluster-abcdefg0123.eu-central-1.rds.amazonaws.com
upstream_type: postgres
upstream_user: postgres
upstream_password: postgrestest
Updated 3 months ago