Link to home
Start Free TrialLog in
Avatar of David Spigelman
David SpigelmanFlag for United States of America

asked on

Setting up AWS RDS database with MySQL

I'm pretty new to AWS, in general, and very new to RDS. I'm trying to set up an RDS database for use with a partner. The idea would be that I manage the back end stuff, and she'll manage the database pieces. To do this, though, I have a bunch of questions that I'm hoping to get help with:

  1. I can set up the database - no problem. But I'd like to set up an ODBC connection to it, and I don't see where to get the connection URL. (In other words, where do I point the ODBC connector, to reach the database?)
  2. Is the ODBC connection encrypted? If not, can it be? I'd rather not have the data traversing in cleartext.
  3. I would like to set up an IAM user to manage *some* databases. I'm assuming that the IAM user type I'm setting up is the App type, not the Console type. But I'm not sure.
  4. I'd like to make sure that this user has whatever access she needs for a set of databases that she's going to manage, but not necessarily for all databases. I'm assuming I do that with IAM Groups, but I'm not sure what I need to do for this.
  5. What permissions do I need to grant her account?
  6. Do I need separate IAM users for each client she's setting up a database for? What permissions do they need?

The information is out there, but it seems to be very scattered. Any help I can get would be appreciated.
Avatar of theGhost_k8
theGhost_k8
Flag of India image
1. I can set up the database - no problem. But I'd like to set up an ODBC connection to it, and I don't see where to get the connection URL. (In other words, where do I point the ODBC connector, to reach the database?)
> They call it "endpoint", you should point your connection to that string. You can find the database endpoint in the configuration section once you create the database.

2. Is the ODBC connection encrypted? If not, can it be? I'd rather not have the data traversing in cleartext.
> This will guide you for encrypted connections https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

3. I would like to set up an IAM user to manage *some* databases. I'm assuming that the IAM user type I'm setting up is the App type, not the Console type. But I'm not sure.
> I am not quite sure of the question here but for database users are created inside the database.
> If you're talking about authenticating with IAM user then following link can guide you: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html


4. I'd like to make sure that this user has whatever access she needs for a set of databases that she's going to manage, but not necessarily for all databases. I'm assuming I do that with IAM Groups, but I'm not sure what I need to do for this.
What permissions do I need to grant her account?
> I think part of this question can be answered by above link.
> When you say "Database" I am not sure if you're referring to "Instance" that is launched.
> You can also configure per user per database grants in the instance and have the authentication part left on the database itself.

5. Do I need separate IAM users for each client she's setting up a database for? What permissions do they need?
> Refer to the best practices document https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
> Per client should be the  way to go. You can further increase granularity may be service or resource based.
> https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html

You might want to provide more information about what "clients", what "apps" are we talking about.
Eg. We have one application and multiple clients to that with their individual databases
One (application and database) has multiple deployment for different clients
multiple applications / databases per client... clients going to manage their services... and so on....

Best wises.
Avatar of Dany Balian
Dany Balian
Flag of Lebanon image
  1. I can set up the database - no problem. But I'd like to set up an ODBC connection to it, and I don't see where to get the connection URL. (In other words, where do I point the ODBC connector, to reach the database?)
just click on your rds instance, and you will find the endpoint and port under connectivity and security.
of course you have to download the appropriate db client drivers so that the option appears in your odbc database list.
User generated image
2. Is the ODBC connection encrypted? If not, can it be? I'd rather not have the data traversing in cleartext.
to encrypt the connection channel, you have to use SSL here's how to for each different database type
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport

3. I would like to set up an IAM user to manage *some* databases. I'm assuming that the IAM user type I'm setting up is the App type, not the Console type. But I'm not sure.

if you want the user to be able to manage databases programmatically then you have to generate a programmatic access key pair.
go to IAM, create a user, and then under security credentials > access keys, click on create access key.
User generated imageon the other hand if you want them to manage the RDS from the management console then simply create an IAM user and attach the appropriate permissions to it.

4. I'd like to make sure that this user has whatever access she needs for a set of databases that she's going to manage, but not necessarily for all databases. I'm assuming I do that with IAM Groups, but I'm not sure what I need to do for this. What permissions do I need to grant her account? Do I need separate IAM users for each client she's setting up a database for? What permissions do they need?
- No, IAM Groups is to group multiple user permissions together (if you have 10 users with same permissions) what you need is simple policy to attach to her IAM user.
- concerning the needed permissions, you have to decide what permissions you want, just go to policy generator, type rds  as service, and decide what permissions you want to give (create db instance, create tables..)
here's a screenshot..

User generated imagein the db section in resources, specify the list of all db instances you want to give her access to.
concerning the multiple databases, it depends on her application. if it's one application that needs access to all the database instances at once, then you do them in one IAM user. if each part of the website should have permission to only one db instance then you create one IAM user for each db instance and attach the ARN of the database to that user. and you create a programmatic key access for each of those users.

hope this helps,
db
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.