为什么我无法通过代理连接到 RDS Aurora 数据库?
Why can I not connect to an RDS Aurora DB via proxy?
我通过 Terraform(下面的代码)设置了一个 Postgresql Aurora 数据库和一个代理,这显然 运行 没问题。但由于某种原因,我无法通过代理连接到数据库。代理声称缺少该角色的凭据,但如果我直接连接到数据库,一切都很好,凭据有效。
我从 VPN 和直接从 EC2 实例尝试了这个:
$ psql -h [aurora-endpoint] -p 5432 -d [database] -U admin
Password for user admin:
psql (13.3, server 11.9)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
[database]=>
这有效,但是当我尝试连接到代理时:
$ psql -h [proxy-endpoint] -p 5432 -d [database] -U admin
psql: error: FATAL: This RDS proxy has no credentials for the role cellwerkadmin. Check the credentials for this role and try again.
FATAL: This RDS proxy has no credentials for the role cellwerkadmin. Check the credentials for this role and try again.
有人知道这里的问题是什么吗?
地形代码:
# Subnet group for Aurora
resource "aws_db_subnet_group" "aurora_sg_group" {
name = "aurora"
subnet_ids = var.private_subnets_ids
tags = {
Name = "Subnet group for the Aurora DB"
}
}
# RDS cluster parameter group for Aurora
resource "aws_rds_cluster_parameter_group" "aurora_eu_central_1" {
name_prefix = "eu-central-1-aurora-postgres11-cluster-parameter-group"
family = "aurora-postgresql11"
description = "eu-central-1-aurora-postgres11-cluster-parameter-group"
}
# Aurora RDS postgresql
module "aurora" {
source = "../modules/terraform-aws-rds-aurora/"
name = "cellwerk-aurora"
username = data.aws_ssm_parameter.db_username.value
create_random_password = false
password = data.aws_ssm_parameter.db_password.value
engine = "aurora-postgresql"
engine_version = "11.9"
instance_type = "db.r6g.large"
instance_type_replica = "db.t3.medium"
vpc_id = module.link_delivery_eu_central_1.vpc_id
db_subnet_group_name = "aurora"
create_security_group = false
allowed_cidr_blocks = concat(... subnets )
vpc_security_group_ids = [aws_security_group.rds.id]
replica_count = 1
replica_scale_enabled = true
replica_scale_min = 1
replica_scale_max = 5
monitoring_interval = 60
iam_role_name = "aurora-eu-central-1-enhanced-monitoring"
iam_role_use_name_prefix = false
iam_role_description = "eu-central-1 Aurora RDS enhanced monitoring IAM role"
iam_role_path = "/autoscaling/"
iam_role_max_session_duration = 7200
apply_immediately = true
skip_final_snapshot = true
db_parameter_group_name = "aurora-postgresl11"
db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.aurora_eu_central_1.name
enabled_cloudwatch_logs_exports = ["postgresql"]
tags = {
Owner = "company"
Environment = "production"
}
}
# Proxy for Aurora
resource "aws_iam_role" "iam_proxy_eu_central_1" {
name = "iam_proxy_eu_central_1"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "rds.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "proxy_eu_central_1" {
name = "proxy-eu-central-1"
path = "/"
description = "IAM policy for logging into the aurora db"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arn:aws:secretsmanager:eu-central-1:[account]:secret:[company]/aurora-Pa40We",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_db_proxy" "proxy_eu_central_1" {
name = "proxy-eu-central-1"
debug_logging = true
engine_family = "POSTGRESQL"
idle_client_timeout = 1800
require_tls = false
role_arn = aws_iam_role.iam_proxy_eu_central_1.arn
vpc_security_group_ids = [aws_security_group.rds.id]
vpc_subnet_ids = module.link_delivery_eu_central_1.private_subnets_ids
auth {
auth_scheme = "SECRETS"
description = "allows the connection to the aurora db"
iam_auth = "DISABLED"
secret_arn = "arn:aws:secretsmanager:eu-central-1:[account]:secret:[company]/aurora-Pa40We"
}
tags = {
Name = "aurora proxy"
}
}
resource "aws_db_proxy_default_target_group" "proxy_eu_central_1" {
db_proxy_name = aws_db_proxy.proxy_eu_central_1.name
connection_pool_config {
connection_borrow_timeout = 120
init_query = "SET x=1, y=2"
max_connections_percent = 100
max_idle_connections_percent = 50
session_pinning_filters = ["EXCLUDE_VARIABLE_SETS"]
}
}
resource "aws_db_proxy_target" "proxy_eu_central_1" {
db_cluster_identifier = module.aurora.rds_cluster_id
db_proxy_name = aws_db_proxy.proxy_eu_central_1.name
target_group_name = aws_db_proxy_default_target_group.proxy_eu_central_1.name
}
您的 aws_iam_policy 政策无效。您忘记将其与角色关联:
resource "aws_iam_policy_attachment" "test-attach" {
name = "role-proxy-attachment"
roles = [aws_iam_role.proxy_eu_central_1.name]
policy_arn = aws_iam_policy.proxy_eu_central_1.arn
}
我添加了以下信任关系并更改了附加 RDS 时自动分配给 Lambda 函数角色的角色(代理)权限 Lambda 函数/配置/数据库代理中的代理。这个问题没有具体提到 Terraform——这不是 IoC 解决方案。
信任关系
AWS Tutorial
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "rds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
AWSLambdaRDSProxyExecutionRole
The following policy uses the "*" character to match all DB instances and database accounts for a particular AWS account and AWS Region.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "arn:aws:rds-db:us-east-2:<account_number>:dbuser:*/*"
}
]
}
我通过 Terraform(下面的代码)设置了一个 Postgresql Aurora 数据库和一个代理,这显然 运行 没问题。但由于某种原因,我无法通过代理连接到数据库。代理声称缺少该角色的凭据,但如果我直接连接到数据库,一切都很好,凭据有效。
我从 VPN 和直接从 EC2 实例尝试了这个:
$ psql -h [aurora-endpoint] -p 5432 -d [database] -U admin
Password for user admin:
psql (13.3, server 11.9)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
[database]=>
这有效,但是当我尝试连接到代理时:
$ psql -h [proxy-endpoint] -p 5432 -d [database] -U admin
psql: error: FATAL: This RDS proxy has no credentials for the role cellwerkadmin. Check the credentials for this role and try again.
FATAL: This RDS proxy has no credentials for the role cellwerkadmin. Check the credentials for this role and try again.
有人知道这里的问题是什么吗?
地形代码:
# Subnet group for Aurora
resource "aws_db_subnet_group" "aurora_sg_group" {
name = "aurora"
subnet_ids = var.private_subnets_ids
tags = {
Name = "Subnet group for the Aurora DB"
}
}
# RDS cluster parameter group for Aurora
resource "aws_rds_cluster_parameter_group" "aurora_eu_central_1" {
name_prefix = "eu-central-1-aurora-postgres11-cluster-parameter-group"
family = "aurora-postgresql11"
description = "eu-central-1-aurora-postgres11-cluster-parameter-group"
}
# Aurora RDS postgresql
module "aurora" {
source = "../modules/terraform-aws-rds-aurora/"
name = "cellwerk-aurora"
username = data.aws_ssm_parameter.db_username.value
create_random_password = false
password = data.aws_ssm_parameter.db_password.value
engine = "aurora-postgresql"
engine_version = "11.9"
instance_type = "db.r6g.large"
instance_type_replica = "db.t3.medium"
vpc_id = module.link_delivery_eu_central_1.vpc_id
db_subnet_group_name = "aurora"
create_security_group = false
allowed_cidr_blocks = concat(... subnets )
vpc_security_group_ids = [aws_security_group.rds.id]
replica_count = 1
replica_scale_enabled = true
replica_scale_min = 1
replica_scale_max = 5
monitoring_interval = 60
iam_role_name = "aurora-eu-central-1-enhanced-monitoring"
iam_role_use_name_prefix = false
iam_role_description = "eu-central-1 Aurora RDS enhanced monitoring IAM role"
iam_role_path = "/autoscaling/"
iam_role_max_session_duration = 7200
apply_immediately = true
skip_final_snapshot = true
db_parameter_group_name = "aurora-postgresl11"
db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.aurora_eu_central_1.name
enabled_cloudwatch_logs_exports = ["postgresql"]
tags = {
Owner = "company"
Environment = "production"
}
}
# Proxy for Aurora
resource "aws_iam_role" "iam_proxy_eu_central_1" {
name = "iam_proxy_eu_central_1"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "rds.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "proxy_eu_central_1" {
name = "proxy-eu-central-1"
path = "/"
description = "IAM policy for logging into the aurora db"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arn:aws:secretsmanager:eu-central-1:[account]:secret:[company]/aurora-Pa40We",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_db_proxy" "proxy_eu_central_1" {
name = "proxy-eu-central-1"
debug_logging = true
engine_family = "POSTGRESQL"
idle_client_timeout = 1800
require_tls = false
role_arn = aws_iam_role.iam_proxy_eu_central_1.arn
vpc_security_group_ids = [aws_security_group.rds.id]
vpc_subnet_ids = module.link_delivery_eu_central_1.private_subnets_ids
auth {
auth_scheme = "SECRETS"
description = "allows the connection to the aurora db"
iam_auth = "DISABLED"
secret_arn = "arn:aws:secretsmanager:eu-central-1:[account]:secret:[company]/aurora-Pa40We"
}
tags = {
Name = "aurora proxy"
}
}
resource "aws_db_proxy_default_target_group" "proxy_eu_central_1" {
db_proxy_name = aws_db_proxy.proxy_eu_central_1.name
connection_pool_config {
connection_borrow_timeout = 120
init_query = "SET x=1, y=2"
max_connections_percent = 100
max_idle_connections_percent = 50
session_pinning_filters = ["EXCLUDE_VARIABLE_SETS"]
}
}
resource "aws_db_proxy_target" "proxy_eu_central_1" {
db_cluster_identifier = module.aurora.rds_cluster_id
db_proxy_name = aws_db_proxy.proxy_eu_central_1.name
target_group_name = aws_db_proxy_default_target_group.proxy_eu_central_1.name
}
您的 aws_iam_policy 政策无效。您忘记将其与角色关联:
resource "aws_iam_policy_attachment" "test-attach" {
name = "role-proxy-attachment"
roles = [aws_iam_role.proxy_eu_central_1.name]
policy_arn = aws_iam_policy.proxy_eu_central_1.arn
}
我添加了以下信任关系并更改了附加 RDS 时自动分配给 Lambda 函数角色的角色(代理)权限 Lambda 函数/配置/数据库代理中的代理。这个问题没有具体提到 Terraform——这不是 IoC 解决方案。
信任关系
AWS Tutorial
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "rds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
AWSLambdaRDSProxyExecutionRole
The following policy uses the "*" character to match all DB instances and database accounts for a particular AWS account and AWS Region.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "arn:aws:rds-db:us-east-2:<account_number>:dbuser:*/*"
}
]
}