I have a couple of ECS tasks (fargate, executed via Lambda function) that need to connect to an RDS. Each of the tasks has its own role defining policies to (for example) access S3 buckets.
Each of my tasks also has its own security group.
I can now whitelist each and every tasks security group on the RDS, but this is cumbersome since new tasks are added on a daily basis.
I thought it must be possible to add a policy that allows access to the RDS (as described in the docs):
- PolicyName: RDSAccess
PolicyDocument:
Statement:
- Effect: Allow
Action:
- rds-db:connect
Resource: 'arn:aws:rds-db:REGION:ID:dbuser:DB_ID/DB_USER'
Unfortunately this does not work - I can still not connect to the database.
As mentioned before: When explicitly adding each tasks security group to the RDS, I can connect to the DB without issues.
Two questions:
This policy enables you to use the CLI to generate temporary credentials as a specific IAM user/role, you will still need inbound access via the network to connect.
If you want to simplify this process to connect there are 2 options for the security groups you can use: