|
| 1 | +--- |
| 2 | +title: Cross-Account Authentication in Single Account |
| 3 | +--- |
| 4 | + |
| 5 | +When you have only one AWS account, you can still test the cross-account authentication feature by creating separate IAM roles that simulate a multi-account setup. This guide walks through creating two roles that demonstrate the authentication flow. |
| 6 | + |
| 7 | +## What We're Building |
| 8 | + |
| 9 | +In production cross-account setups: |
| 10 | +- **Account A** hosts Bytebase on an EC2 instance |
| 11 | +- **Account B** hosts the RDS database |
| 12 | +- Bytebase assumes a role in Account B to access the database |
| 13 | + |
| 14 | +For testing in a single account, we'll create: |
| 15 | +- **Role 1**: `bytebase-instance-role` (simulates Account A's EC2 role) |
| 16 | +- **Role 2**: `bytebase-target-db-role` (simulates Account B's database access role) |
| 17 | + |
| 18 | +## Prerequisites |
| 19 | + |
| 20 | +- An EC2 instance where Bytebase will run |
| 21 | +- An RDS instance with IAM authentication enabled |
| 22 | +- IAM admin permissions to create roles and policies |
| 23 | + |
| 24 | +## Step 1: Set Up the EC2 Instance Role |
| 25 | + |
| 26 | +This role will be attached to your EC2 instance running Bytebase. |
| 27 | + |
| 28 | +### Create the Role |
| 29 | + |
| 30 | +1. Go to [IAM Console → Roles](https://console.aws.amazon.com/iam/home#/roles) |
| 31 | +2. Click **Create role** |
| 32 | +3. Choose trusted entity: |
| 33 | + - Select **AWS service** |
| 34 | + - Choose **EC2** |
| 35 | + - Click **Next** |
| 36 | +4. Skip policy attachment for now (we'll add it later) |
| 37 | +5. Name the role: `bytebase-instance-role` |
| 38 | +6. Click **Create role** |
| 39 | + |
| 40 | +### Attach Role to EC2 |
| 41 | + |
| 42 | +**For a new EC2 instance:** |
| 43 | +- During launch, in **Advanced details** → **IAM instance profile**, select `bytebase-instance-role` |
| 44 | + |
| 45 | +**For an existing EC2 instance:** |
| 46 | +1. Select your instance in the [EC2 Console](https://console.aws.amazon.com/ec2/) |
| 47 | +2. Click **Actions** → **Security** → **Modify IAM role** |
| 48 | +3. Select `bytebase-instance-role` |
| 49 | +4. Click **Update IAM role** |
| 50 | + |
| 51 | +## Step 2: Create the Database Access Role |
| 52 | + |
| 53 | +This role will have permission to connect to your RDS database. In production, this would be in a different account. |
| 54 | + |
| 55 | +### Create the Role with Trust Policy |
| 56 | + |
| 57 | +1. In [IAM Console](https://console.aws.amazon.com/iam/), click **Create role** |
| 58 | +2. Select **Custom trust policy** |
| 59 | +3. Replace the default policy with this (substitute your account ID): |
| 60 | + |
| 61 | + ```json |
| 62 | + { |
| 63 | + "Version": "2012-10-17", |
| 64 | + "Statement": [ |
| 65 | + { |
| 66 | + "Effect": "Allow", |
| 67 | + "Principal": { |
| 68 | + "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:role/bytebase-instance-role" |
| 69 | + }, |
| 70 | + "Action": "sts:AssumeRole", |
| 71 | + "Condition": {} |
| 72 | + } |
| 73 | + ] |
| 74 | + } |
| 75 | + ``` |
| 76 | + |
| 77 | + <Info> |
| 78 | + This trust policy allows `bytebase-instance-role` to assume this role. In production, the Principal would reference a role from a different account. |
| 79 | + </Info> |
| 80 | + |
| 81 | +4. Click **Next** |
| 82 | +5. Skip policy attachment (we'll add inline policy next) |
| 83 | +6. Name the role: `bytebase-target-db-role` |
| 84 | +7. Click **Create role** |
| 85 | + |
| 86 | +### Add RDS Connect Permission |
| 87 | + |
| 88 | +1. Open the newly created `bytebase-target-db-role` |
| 89 | +2. Go to the **Permissions** tab |
| 90 | +3. Click **Add permissions** → **Create inline policy** |
| 91 | +4. Switch to **JSON** view and paste: |
| 92 | + |
| 93 | + ```json |
| 94 | + { |
| 95 | + "Version": "2012-10-17", |
| 96 | + "Statement": [ |
| 97 | + { |
| 98 | + "Effect": "Allow", |
| 99 | + "Action": "rds-db:connect", |
| 100 | + "Resource": "arn:aws:rds-db:*:*:dbuser:*/*" |
| 101 | + } |
| 102 | + ] |
| 103 | + } |
| 104 | + ``` |
| 105 | + |
| 106 | + <Note> |
| 107 | + For production, replace wildcards with specific values: |
| 108 | + `arn:aws:rds-db:REGION:ACCOUNT_ID:dbuser:DB_RESOURCE_ID/bytebase` |
| 109 | + |
| 110 | + Find your DB_RESOURCE_ID in RDS Console → your database → Configuration tab |
| 111 | + </Note> |
| 112 | + |
| 113 | +5. Click **Review policy** |
| 114 | +6. Name it: `RDSConnect` |
| 115 | +7. Click **Create policy** |
| 116 | + |
| 117 | +## Step 3: Allow the EC2 Role to Assume the Database Role |
| 118 | + |
| 119 | +Now we need to give the EC2 role permission to assume the database role. |
| 120 | + |
| 121 | +1. Go back to the `bytebase-instance-role` in IAM Console |
| 122 | +2. Click **Add permissions** → **Create inline policy** |
| 123 | +3. Switch to **JSON** view and paste (substitute your account ID): |
| 124 | + |
| 125 | + ```json |
| 126 | + { |
| 127 | + "Version": "2012-10-17", |
| 128 | + "Statement": [ |
| 129 | + { |
| 130 | + "Effect": "Allow", |
| 131 | + "Action": "sts:AssumeRole", |
| 132 | + "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/bytebase-target-db-role" |
| 133 | + } |
| 134 | + ] |
| 135 | + } |
| 136 | + ``` |
| 137 | + |
| 138 | +4. Click **Review policy** |
| 139 | +5. Name it: `AssumeTargetRole` |
| 140 | +6. Click **Create policy** |
| 141 | + |
| 142 | +## Step 4: Configure the Database |
| 143 | + |
| 144 | +Your RDS instance needs: |
| 145 | +1. **IAM authentication enabled** (check in RDS Console → Modify → Database authentication options) |
| 146 | +2. **A database user configured for IAM auth** |
| 147 | + |
| 148 | +### Create the IAM Database User |
| 149 | + |
| 150 | +Connect to your RDS instance using your master credentials, then run: |
| 151 | + |
| 152 | +**For PostgreSQL:** |
| 153 | + |
| 154 | +```sql |
| 155 | +-- Create user for IAM authentication |
| 156 | +CREATE USER bytebase; |
| 157 | +GRANT rds_iam TO bytebase; |
| 158 | + |
| 159 | +-- Grant necessary permissions (adjust as needed) |
| 160 | +GRANT CONNECT ON DATABASE postgres TO bytebase; |
| 161 | +GRANT CREATE ON DATABASE postgres TO bytebase; |
| 162 | +GRANT ALL PRIVILEGES ON DATABASE your_database TO bytebase; |
| 163 | +``` |
| 164 | + |
| 165 | +**For MySQL:** |
| 166 | + |
| 167 | +```sql |
| 168 | +-- Create user for IAM authentication |
| 169 | +CREATE USER 'bytebase'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; |
| 170 | +ALTER USER 'bytebase'@'%' REQUIRE SSL; |
| 171 | + |
| 172 | +-- Grant necessary permissions (adjust as needed) |
| 173 | +GRANT ALL PRIVILEGES ON *.* TO 'bytebase'@'%'; |
| 174 | +FLUSH PRIVILEGES; |
| 175 | +``` |
| 176 | + |
| 177 | +## Step 5: Configure Bytebase Connection |
| 178 | + |
| 179 | +Now configure Bytebase to use the cross-account authentication: |
| 180 | + |
| 181 | +1. Open Bytebase and click **New Instance** |
| 182 | +2. Configure basic connection: |
| 183 | + - **Host:** Your RDS endpoint (e.g., `mydb.abc123.us-east-1.rds.amazonaws.com`) |
| 184 | + - **Port:** 5432 (PostgreSQL) or 3306 (MySQL) |
| 185 | + - **Username:** `bytebase` |
| 186 | + - **Authentication:** Select `AWS RDS IAM` |
| 187 | + |
| 188 | +3. Configure AWS credentials: |
| 189 | + - **Credential Source:** Select **Specific Credentials** |
| 190 | + - **Access Key ID:** Leave empty (uses EC2 instance profile) |
| 191 | + - **Secret Access Key:** Leave empty (uses EC2 instance profile) |
| 192 | + - **Session Token:** Leave empty |
| 193 | + - **Role ARN:** `arn:aws:iam::YOUR_ACCOUNT_ID:role/bytebase-target-db-role` |
| 194 | + - **Database Region:** Select your RDS region |
| 195 | + - **Database:** Your database name |
| 196 | + |
| 197 | +4. Click **Test Connection** to verify the setup |
| 198 | +5. If successful, click **Create** |
0 commit comments