This project sets up AWS Lambda functions, Amazon EventBridge rule, Amazon VPC Endpoint for AWS IAM Identity Center (successor to AWS Single Sign-On), the related Security Groups and permissions necessary to automatically provision database users to the Amazon Relational Database Service (Amazon RDS) cluster using AWS Cloud Development Kit (AWS CDK).
When a new user is created in IAM Identity Center and the user belongs to the group specified in a IAM_IDC_GROUP_NAME
variable, EventBridge rule will trigger the Lambda function. The Lambda function will create a new user in a specified Amazon RDS cluster. The user will then be able to login to the database using their SSO username and IAM credentials. Adding a user to the configured group will trigger the Lambda function as well.
- Amazon RDS cluster must be configured with the IAM Authentication: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
- Amazon RDS cluster must have a username for the Lambda function. This user should have permissions to create users and grant permissions
- IAM Identity Center must be configured with a permission set that allows new users to connect to the RDS cluster using their username. Lambda Function will create user regardless of this permission, however the user will fail to authenticate unless it's present. You can find an example policy in
policies/iam-idc-allow-rds-connect.json
- When using the example policy, IAM Identity Center must be configured with the following attributes for access control:
key: name
,value: ${path:username}
. More on that here: https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html
AWS CDK uses the following variables:
CDK_DEFAULT_ACCOUNT
CDK_DEFAULT_REGION
CDK_ENV
Set these variables before running cdk deployments, for example:
export CDK_DEFAULT_REGION=us-east-1
export CDK_DEFAULT_ACCOUNT=123456789123
export CDK_ENV=dev
The cdk.json
file tells the CDK Toolkit how to execute your app. It is preconfigured with dev
context:
"dev": {
"IAM_IDC_GROUP_NAME": "DBA",
"IAM_IDC_STORE_ID": null,
"VPC_ID": "vpc-123bcde20",
"RDS_DB_NAME": "test",
"RDS_DB_USER": "sso_provisioner",
"RDS_CLUSTER_ID": "database-1",
"RDS_ACCOUNT_ID": null,
"NOTIFICATION_EMAIL": null
}
IAM_IDC_STORE_ID
and RDS_ACCOUNT_ID
are optional. CDK_DEFAULT_REGION
(from env) is used if not specified, and IAM Identity Store ID is derived dynamically, since there can only be one Store in an AWS Account.
You can configure notifications using NOTIFICATION_EMAIL
variable (null
means notifications are disabled). When specified, AWS CDK provisions an additional Lambda function and an Amazon SNS topic with the subscription to a specified e-mail address in a separate AWS CDK stack. If the user provisioning fails, Lambda sends the failure details using Lambda destinations. For the e-mail notifications to work, you have to confirm subscription to the Amazon SNS topic.
To deploy stacks run:
cdk deploy --all
To destroy stacks run:
cdk destroy --all
When a new DBA user is created in a SSO identity provider, it will be able to authenticate in the RDS cluster given the pre-requisites are satisfied. They can use aws
cli in combination with standard mysql
client in order to login.
- Set up your environment with SSO (one-time process):
You will need to specify the default region, SSO start URL and other parameters. After that, you will be able to log in using IAM Identity Center.
aws configure sso
- Log in using sso credentials:
This will redirect you to a webpage where you can enter your SSO credentials and allow access from CLI
aws sso login
- Retrieve token for IAM authentication with RDS using your SSO username:
Replace
TOKEN="$(aws --profile {sso_profile_name} rds generate-db-auth-token --hostname {rds_endpoint} --port 3306 --username {username})"
sso_profile_name
,rds_endpoint
,username
and if neededport
with the correct values. - Download the latest certificate for RDS (one-time procedure):
wget https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
- Log in using
mysql
client:Replacemysql -h {rds_endpoint} -u {username} --password="$TOKEN" --port=3306 --ssl-ca=rds-ca-2019-root.pem
rds_endpoint
andusername
with the respective values.
npm run build
compile typescript to jsnpm run watch
watch for changes and compilecdk deploy
deploy this stack to your AWS accountcdk diff
compare deployed stack with current statecdk synth
emits the synthesized CloudFormation templatecdk destroy
deletes this stack from your AWS account