RDS PostgreSQL (IAM)
Last modified on September 17, 2024
Overview
A datasource consists of a database resource and the credentials used to access it. This guide describes how to add an RDS PostgreSQL database as a datasource in the StrongDM Admin UI using IAM.
Prerequisites
To add a datasource, make sure you have met the following prerequisites:
- Properly configure an account for your database resource. If you choose to store credentials for the resource with StrongDM, have those credentials ready. When not using StrongDM, set up a Secret Store integration and be able to enter the location of the secrets required to access the resource.
- The hostname or endpoint you enter for your resource must be accessible by at least one gateway or relay. To verify this, log in to the gateway or relay and use the
nc -zv <YOUR_HOSTNAME> <YOUR_PORT>Netcat command. For example, usenc -zv testdb-01.fancy.org 5432. If your gateway server can connect to this hostname, you can proceed.
-z flag to check for listeners without sending data and the -v flag to show verbose output. If you do not have Netcat, you can use a package manager such as APT (Advanced Package Tool) to install it. On Linux-based distributions, run apt-get install netcat.Resource Setup
Some setup steps are required to prepare an Aurora PostgreSQL (IAM) resource to receive connections via StrongDM.
- The AWS administrator should enable IAM authentication for the target PostgreSQL cluster in the AWS Management Console. This can be done at creation, or be modified at a later time. This is done by locating the Database authentication setting and choosing the option Password and IAM database authentication.
- A PostgreSQL administrator needs to log in to the database and grant the
rds_iampermission either to an existing user or a newly created user for use with StrongDM. For example,GRANT rds_iam TO db_userxwheredb_userxis the username. - Finally, the AWS administrator needs to add an IAM policy to the IAM role that is attached to the gateway/relay to allow access.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-east-2:1234567890:dbuser:cluster-ABCDEFGHIJKL01234/db_userx"
]
}
]
}
Add a Datasource
To add your new RDS PostgreSQL (IAM) database as a StrongDM datasource, use the following steps.
- Log in to the Admin UI.
- Go to Resources > Datasources.
- Click Add datasource.
- Select RDS PostgreSQL (IAM) as the Datasource Type and set other configuration properties for your new database resource.
- Complete all required fields.
- Click Create to save the resource.
- Click the resource name to view status, diagnostic information, and setting details.
Resource properties
Configuration properties are visible when you add a datasource or when you click to view its settings. The following table describes the settings available for your RDS PostgreSQL (IAM) database.
| Property | Requirement | Description |
|---|---|---|
| Display Name | Required | Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >) |
| Datasource Type | Required | Select RDS PostgreSQL (IAM) |
| Hostname | Required | Hostname for your resource; must be accessible to a gateway or relay |
| Port | Required | Port to use when connecting to your RDS PostgreSQL (IAM) database; default port value is 5432 |
| Port Override | Read only | Automatically generated with a value between 1024-59999 as long as that port is not used by another resource; preferred port can be modified later under Settings > Port Overrides |
| Database | Required | Database name you would like to connect to using this datasource |
| Secret Store | Optional | Credential store location; defaults to Strong Vault; learn more about Secret Store options |
| Username | Required | Username to utilize when connecting to this datasource; displays when Secret Store integration is not configured for your organization or when StrongDM serves as the Secret Store type |
| Username (path) | Required | Path to the secret in your Secret Store location (for example, path/to/credential?key=optionalKeyName where key argument is optional); required when using a non-StrongDM Secret Store type |
| Override Database | Optional | By default, StrongDM limits all connections to the configured database. Uncheck the box to disable this option. If this option is deselected, the value entered in the Database field is only used for healthchecks, not for user connections. When accessing the database via StrongDM, users need to explicitly pass the database name they wish to connect to in the connection string. If they do not, the value of the Username field is passed in as the database name. This is the default behavior of the database type. |
| Region | Required | AWS region to connect to (for example, us-west-2) |
| Assume Role ARN | Optional | Role ARN, such as arn:aws:iam::000000000000:role/RoleName, that allows users accessing this resource to assume a role using AWS AssumeRole |
| Resource Tags | Optional | Datasource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev) |
Secret Store options
By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.
Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.
Resource status
After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the Health icon indicates a positive, green status.
When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.