TechQA.

RDS Proxy IAM role unable to retrieve credentials from secret

2.2k views Asked by At

I am trying to implement a proxy to our Aurora RDS instance, but having difficulty getting the IAM access to work properly. We have a microservice in an ECS container that is attempting to access the database. The steps I've followed so far:

  • Created a secret containing the DB credentials
  • Created the proxy with the following config options:
    • Engine compatibility: MySQL
    • Require TLS - enabled
    • Idle timeout: 20 minutes
    • Secret - Selected DB credential secret
    • IAM Role - Chose to create new role
    • IAM Authentication - Required
  • Modified the policy of the proxy IAM role as per the details on this page.
  • Enabled enhanced logging

When issuing GET requests to the microservice, I see the following in the CloudWatch logs:

Credentials couldn't be retrieved. The IAM role "arn:our-proxy-role" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:our-db-credential-secret"

Another interesting wrinkle to all of this: I pulled up the policy simulator, selecting the RDS proxy role and all of the actions under the Secrets Manager service, and all actions show up as being allowed.

I would sincerely appreciate any kind of guidance to indicate what I'm missing here.

arn:our-proxy-role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds:us-east-1:ACCOUNT:dbuser:*/*"
            ]
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetRandomPassword",
                "secretsmanager:CreateSecret",
                "secretsmanager:ListSecrets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "secretsmanager:*",
            "Resource": [
                "arn:aws:our-db-credential-secret"
            ]
        },
        {
            "Sid": "GetSecretValue",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:our-db-credential-secret"
            ]
        },
        {
            "Sid": "DecryptSecretValue",
            "Action": [
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:kms:us-east-1:ACCOUNT:key/our-db-cluster"
            ],
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com"
                }
            }
        }
    ]
}
amazon-rds amazon-iam amazon-ecs aws-secrets-manager amazon-rds-proxy
Original Q&A
1

There are 1 answers

0
GS-Scooter On BEST ANSWER

The issue was related to security groups. I needed to specify an additional inbound rule to allow incoming traffic from itself so as to facilitate communication between resources that are part of the same security group.

Related Questions in AMAZON-RDS

Related Questions in AMAZON-IAM

Related Questions in AMAZON-ECS

Related Questions in AWS-SECRETS-MANAGER

Related Questions in AMAZON-RDS-PROXY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions