你必须创造
generate-db-auth-token
与你
db_userx
来自IAM策略
db-auth-token
将是你的
PGPASSWORD
export RDSHOST="MYRDSHOSTNAME.us-east-2.rds.amazonaws.com"
export PG_USER="db_userx"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-west-2 --username $PG_USER )"
而且比:
psql "host=$RDSHOST port=5432 sslmode=verify-full sslrootcert=./rds-combined-ca-bundle.pem dbname=db_roles_test user=$PG_USER"
这是正确的
德库
CREATE USER db_userx WITH LOGIN;
GRANT rds_iam TO db_userx;
du的输出
List of roles
Role name | Attributes | Member of
----------------------+------------------------------------------------+--------------------------------------------------------------
db_userx | | {rds_iam}
pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables}
pg_read_all_settings | Cannot login | {}
pg_read_all_stats | Cannot login | {}
pg_signal_backend | Cannot login | {}
pg_stat_scan_tables | Cannot login | {}
rds_iam | Cannot login | {}
rds_password | Cannot login | {}
rds_replication | Cannot login | {}
rds_superuser | Cannot login | {pg_monitor,pg_signal_backend,rds_replication,rds_password}
rdsadmin | Superuser, Create role, Create DB, Replication+| {}
| Password valid until infinity |
rdsrepladmin | No inheritance, Cannot login, Replication | {}
root | Create role, Create DB +| {rds_superuser}
因此,您可以通过
CREATE USER <you_user_name> WITH LOGIN;
小心
Authentication tokens have a lifespan of 15 minutes
所以,在这一切之后,
AWS Resource
与您的策略将有权访问rds数据库。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-east-2:MYAWSROOTACCOUNTID:dbuser:*/db_userx"
]
}
]
}
