Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-rds): grantConnect for IAM authentication provides invalid permissions (surface DbiResourceId)

See original GitHub issue

DatabaseInstance has a method grantConnect for granting connect access to instance using IAM based authentication.

However, the db resource ARN in the produced IAM policy is incorrect and doesn’t work. Based on the documentation The format for the resource in the IAM policy should be: arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name

The actual resource produced by grantConnect is having format: arn:aws:rds:region:account-id:db:DBInstanceId. Also, the function doesn’t provide any parameter to define the db username to be used in the policy.

Reproduction Steps

import { Stack, Construct, StackProps } from '@aws-cdk/core';
import {
  DatabaseInstance,
  DatabaseInstanceEngine,
  PostgresEngineVersion,
  Credentials,
} from '@aws-cdk/aws-rds';

import { IVpc } from '@aws-cdk/aws-ec2';
import { User } from '@aws-cdk/aws-iam';

export interface MyStackProps extends StackProps {
  vpc: IVpc;
}
export class MyStack extends Stack {
  constructor(scope: Construct, id: string, props: MyStackProps) {
    super(scope, id, props);

    const db = new DatabaseInstance(this, 'Instance', {
      engine: DatabaseInstanceEngine.postgres({ version: PostgresEngineVersion.VER_12_4 }),
      credentials: Credentials.fromGeneratedSecret('testuser'),
      vpc: props.vpc,
      port: 5432,
      iamAuthentication: true,
    });

    const user = new User(this, 'TestUser', {
      userName: 'testuser',
    });

    db.grantConnect(user);
  }
}

What did you expect to happen?

To create a IAM policy where the resource ARN would be according to the documentation i.e. arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name

What actually happened?

Instead of the correct policy, the generated template contains following definition:

           {
              "Action": "rds-db:connect",
              "Effect": "Allow",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:",
                    {
                      "Ref": "AWS::Partition"
                    },
                    ":rds:",
                    {
                      "Ref": "AWS::Region"
                    },
                    ":",
                    {
                      "Ref": "AWS::AccountId"
                    },
                    ":db:",
                    {
                      "Ref": "InstanceC1063A87"
                    }
                  ]
                ]
              }
            }

In addition that the format of the ARN is incorrect, also wrong DB identifier is used. The template uses the DB Instance id but the correct identifier is the DB Resource id.

Environment

CDK CLI Version : 1.75.0
Framework Version: 1.75.0
Node.js Version: 12.18.3
OS : OSx
Language (Version): Typescript 4.1.2

Other

The support for the grantConnect was requested in this issue and added in this PR.

A comment in the original issue still stands i.e. that the DB Resource Id is not accessible in Cloudformation.

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Reactions:27
Comments:26 (18 by maintainers)

Top GitHub Comments

5reactions

cloventtcommented, May 24, 2021

Just run into this problem, and this is very broken. Until this issue is fixed upstream in CFN it would be nice to update the documentation to reflect that the grantConnect() method is utterly broken and cannot be used, just to save future travelers some time debugging this.

Thanks to @jdvornek for the solution provided. In our case we needed to tweak it a little to make it work as we were not using Aurora clusters and the API response was slightly larger than 4k.

    new customresource.AwsCustomResource(this, 'RdsInstanceResourceId', {
      onCreate: {
        service: 'RDS',
        action: 'describeDBInstances',
        parameters: {
          DBInstanceIdentifier: this.rdsInstance.instanceIdentifier,
        },
        physicalResourceId: customresource.PhysicalResourceId.fromResponse('DBInstances.0.DbiResourceId'),
        outputPath: 'DBInstances.0.DbiResourceId',
      },
      policy: customresource.AwsCustomResourcePolicy.fromSdkCalls({
        resources: customresource.AwsCustomResourcePolicy.ANY_RESOURCE,
      }),
    });

Note the addition of outputPath to limit the amount of data returned. In our case, if this was omitted, CFN update would fail and roll back a cryptic Response object is too long. error message.

5reactions

mjgp2commented, May 6, 2021

Is it possible for the CDK team to raise this with the CF team? I mean this is really broken.

Top Results From Across the Web

Creating and using an IAM policy for IAM database access

The following example policy allows an IAM user to connect to a DB instance ... arn:aws:rds-db: region : account-id :dbuser: DbiResourceId / db-user-name....

How do I troubleshoot Access Denied errors when I connect to ...

How do I troubleshoot Access Denied errors when I connect to RDS for MySQL with IAM authentication ?

aws:rds permissions - ms.fr.edu.vn Search

(aws-rds): grantConnect for IAM authentication provides invalid permissions (surface DbiResourceId) · Issue Description · Reproduction Steps · What did you ...

Am I allowed to connect to arbitrary RDS DB instances if given ...

You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account.

Policy

(aws-rds): grantConnect for IAM authentication provides invalid permissions (surface DbiResourceId) #11851 Open henripoikonen opened this issue on Dec 3, ...