Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rds] Add grant Method to Access the Data API for Aurora Serverless #10744

Closed
1 of 2 tasks
asterikx opened this issue Oct 6, 2020 · 1 comment · Fixed by #10748
Closed
1 of 2 tasks

[rds] Add grant Method to Access the Data API for Aurora Serverless #10744

asterikx opened this issue Oct 6, 2020 · 1 comment · Fixed by #10748
Assignees
@skinny85
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged.

Comments

@asterikx
Copy link
Contributor

asterikx commented Oct 6, 2020

Adding a grant method to the SeverlessCluster construct to grant resources (e.g. Lambda functions) access to the Data API for Aurora Serverless](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html).

Use Case

Granting lambda functions access to the Data API.

Proposed Solution

Add a grantDataApi method which grants the grantee the minimum required permissions to access the Data API, see Authorizing access to the Data API for more details.

While Authorizing access to the Data API lists "minimum required permissions", wildcards can be restricted to the resource in question. The grantDataApi would only grant invoke permissions for the Data API.

Furthermore, access to the secret associated with the cluster must be granted separately to the grantee (e.g. Lambda function) via cluster.secret.grantRead(grantee).

Other

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@asterikx asterikx added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 6, 2020
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Oct 6, 2020
asterikx added a commit to asterikx/aws-cdk that referenced this issue Oct 6, 2020
@asterikx
feat(rds): add grantDataApi method
0208ab3 
closes aws#10744
@asterikx asterikx mentioned this issue Oct 6, 2020
Merged
@mergify mergify bot closed this as completed in #10748 Nov 5, 2020
mergify bot pushed a commit that referenced this issue Nov 5, 2020
@asterikx
feat(rds): add grant method for Data API (#10748)
884539b 
This PR adds a `grantDataApi` method to `IServerlessCluster` to grant access to the Data API.

The "minimum required permissions" to access the Data API are listed [here](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html#data-api.access).

This PR further restricts the IAM policy statement to the specific cluster (in favor of wildcarding).

Read access to the cluster secret must be granted separately via the secrets `grantRead` method.

TBH, the `secretmanager` actions included in the two IAM policy statements in the [official documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html#data-api.access). are rather confusing to me: 

* I don't know why the resource name of the resource listed in "SecretsManagerDbCredentialsAccess" statement has a `rds-db-credentials` prefix. That prefix is not present in
* I don't know what the `secretmanager` actions in the "RDSDataServiceAccess" statement are for


closes #10744 

BREAKING CHANGE: Serverless cluster `enableHttpEndpoint` renamed to `enableDataApi`

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Nov 5, 2020

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinny85 skinny85

Labels
@aws-cdk/aws-rds Related to Amazon Relational Database feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(rds): add grant method for Data API asterikx/aws-cdk
2 participants
@skinny85 @asterikx