Referring to the doc https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.AWSCLI.html, below command can be used to generate auth token for a user and use it to login to the database
aws rds generate-db-auth-token \
--hostname rdsmysql.123456789012.us-west-2.rds.amazonaws.com \
--port 3306 \
--region us-west-2 \
--username jane_doe
I have a number of RDS IAM DB users like read only, application user, admin user etc.
My question is how do I restrict, lets say AWS developer roles to only be able to generate auth token like above for a read only DB username and not admin usernames. If someone needs to generate auth token for admin users, they need to use a different AWS role to do that. I have a pattern like all read only users will be of format *_ro, all admins will be of format *_admin.
What policy can I use to achieve this? Any examples would really help.
I don't currently have an RDS with IAM Auth enabled, but you can try something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "arn:aws:rds-db:*:ACCOUNT_ID:dbuser:*/*_ro"
}
]
}
rds-db:connect is the policy that enables the token generation, and you can filter on it directly on the resource path.