What's the @aws-cdk/rds equivalent of add-role-to-db-instance (lambda invoke from postgres rds instance)?

[lamontadams]

Hi all -

I'm looking at implementing the steps outlined at https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL-Lambda.html on an existing RDS instance via a cdk script, and I've figured out how to use fromDatabaseInstanceAttributes to look up the instance, and have added the correct policy to a new role, but I am stumped at this step in the documentation:

aws rds add-role-to-db-instance \
       --db-cluster-identifier my-cluster-name \
       --feature-name Lambda \
       --role-arn  arn:aws:iam::444455556666:role/rds-lambda-role   \
       --region aws-region 

There doesn't seem to be a method I can find on IDatabaseInstance that will add a role to the instance - there's no role attribute or addRole or even addToRoleProperty methods I can find.

I thought it might be as simple as grantInvoke on the lambda Function I'm creating, but IDatabaseInstance doesn't seem to implement IGrantable so that's no good either.

Am I missing something, or is this just not possible to do?

[denisdifazio]

Since the underlying CloudFormation resource AWS::RDS::DBInstance has the AssociatedRoles property that refers to roles associated with the DB instance, it's possible to modify the CDK resource using the node field:

  const instanceRole = new iam.Role(this, 'RDSLambdaRole', {
    assumedBy: new iam.ServicePrincipal('rds.amazonaws.com'),
    roleName: 'rds-lambda-role',
    description: 'Give RDS Postgres instance permission to invoke lambda',
    inlinePolicies: {
      InstanceConnectPolicy: new iam.PolicyDocument({
        statements: [
          new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: ['lambda:InvokeFunction'],
            resources: [
              `arn:aws:lambda:${Stack.of(this).region}:${Stack.of(this).account}:function:${lambdaName}`,
            ],
          }),
        ],
      }),
    },
  });

  const instance = new rds.DatabaseInstance(this, 'Instance', { ... });

  const cfnInstance = instance.node.defaultChild as rds.CfnDBInstance;

  cfnInstance.associatedRoles = [
    {
      featureName: 'Lambda', // supported FeatureNames: ["Lambda", "s3Export", "s3Import"]
      roleArn: instanceRole.roleArn,
    },
  ];

[revmischa]

Is there a way to do this on Aurora serverless?
I get this error:

 Resource handler returned message: "You currently can't add a role to Aurora Serverless DB Cluster 

[pahud]

Is there a way to do this on Aurora serverless? I get this error:

 Resource handler returned message: "You currently can't add a role to Aurora Serverless DB Cluster 

You need to check the properties of the underlying CFN resource. For Aurora Serverless v1 created with the ServerlessCluster construct, the L1 resource is CfnDbCluster, which is AWS::RDS::DBCluster in CFN and there's a AssociatedRoles prop in this CFN resource.

However, if you dive into the source of the ServerlessCluster, the associatedRoles prop is not yet implemented. The best option is to create a pull request to add this in ServerlessClusterProps so we can specify the associated iam roles for ServerlessCluster. Before that, you can addPropertyOverride as raw overrides describe in the doc to achieve that. Make sure you run cdk synth to check the CFN resource to ensure the AssociatedRoles CFN prop is successfully added.

[pahud]

Sorry I was wrong. The AWS::RDS::DBCluster resource allows you to specify associated roles but not for Aurora Serverless v1.

You can't attach an IAM role to an Aurora Serverless v1 DB cluster.

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html

[rtcpw]

How can I make this work for RDS instance that has been imported into the stack via fromLookup? The defaultChild is undefined for me.

[nsb413]

Used AwsSdkCall AwsCustomResource. Works as expected.

cr.NewAwsCustomResource(stack, jsii.String("customResource-AddRoleToDBCluster"), &cr.AwsCustomResourceProps{
		OnUpdate: &cr.AwsSdkCall{
			Service: jsii.String("RDS"),
			Action:  jsii.String("addRoleToDBCluster"),
			Parameters: map[string]interface{}{
				"DBClusterIdentifier": jsii.String(*rds.ClusterIdentifier()),
				"RoleArn":             jsii.String(*rdsIamRole.RoleArn()),
				"FeatureName":         jsii.String("Lambda"),
			},
			PhysicalResourceId: cr.PhysicalResourceId_Of(jsii.String("....")),
		},
		Policy: cr.AwsCustomResourcePolicy_FromStatements(
			&[]iam.PolicyStatement{
				iam.NewPolicyStatement(&iam.PolicyStatementProps{
					Actions: &[]*string{
						jsii.String("rds:AddRoleToDBCluster"),
					},
					Resources: &[]*string{
						jsii.String("*"),
					},
				},
				),
				iam.NewPolicyStatement(&iam.PolicyStatementProps{
					Actions: &[]*string{
						jsii.String("iam:PassRole"),
					},
					Resources: &[]*string{
						jsii.String(*rdsIamRole.RoleArn()),
					},
				},
				),
			},
		),
	},
	)

[rupalimishra-v2]

@denisdifazio please help
How can I do it via CFT?

Below is my CFT template -
Resources:

RDSLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: RDSLambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- rds.amazonaws.com
Action:
- sts:AssumeRole

RDSLambdaPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: RDSLambdaPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- lambda:InvokeFunction
Resource: "*"
Roles:
- !Ref RDSLambdaRole

DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBName: dbname
Engine: postgres
MasterUsername: dbuser
DBInstanceClass: db.t3.micro
DBInstanceIdentifier: artifacts
AllocatedStorage: 5
MasterUserPassword: qwert1234
AssociatedRoles:
- FeatureName: Lambda
RoleArn: !Ref RDSLambdaRole

On creating cft stack the policy and roles are getting created successfully, but while creating DB instance I am getting error -

Resource handler returned message: "Invalid Role ARN: RDSLambdaRole (Service: Rds, Status Code: 400, Request ID: 5b195e93-50a2-4f75-9273-017742ea82d1)" (RequestToken: 87408e5d-e0c1-5ac7-e994-178614b014e3, HandlerErrorCode: InvalidRequest)

[rtcpw]

Used AwsSdkCall AwsCustomResource. Works as expected.

cr.NewAwsCustomResource(stack, jsii.String("customResource-AddRoleToDBCluster"), &cr.AwsCustomResourceProps{
		OnUpdate: &cr.AwsSdkCall{
			Service: jsii.String("RDS"),
			Action:  jsii.String("addRoleToDBCluster"),
			Parameters: map[string]interface{}{
				"DBClusterIdentifier": jsii.String(*rds.ClusterIdentifier()),
				"RoleArn":             jsii.String(*rdsIamRole.RoleArn()),
				"FeatureName":         jsii.String("Lambda"),
			},
			PhysicalResourceId: cr.PhysicalResourceId_Of(jsii.String("....")),
		},
		Policy: cr.AwsCustomResourcePolicy_FromStatements(
			&[]iam.PolicyStatement{
				iam.NewPolicyStatement(&iam.PolicyStatementProps{
					Actions: &[]*string{
						jsii.String("rds:AddRoleToDBCluster"),
					},
					Resources: &[]*string{
						jsii.String("*"),
					},
				},
				),
				iam.NewPolicyStatement(&iam.PolicyStatementProps{
					Actions: &[]*string{
						jsii.String("iam:PassRole"),
					},
					Resources: &[]*string{
						jsii.String(*rdsIamRole.RoleArn()),
					},
				},
				),
			},
		),
	},
	)

I have attempted something similar, but it doesn't work for updates. If the role ARN or instance identifier change, there is sort of a permission race condition and it won't be able to remove the old role and throw an error during deployment.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.