|
| 1 | +--- |
| 2 | +title: 'Just-in-time database access to Amazon Aurora using Bytebase' |
| 3 | +author: Ningjing |
| 4 | +tags: Tutorial |
| 5 | +updated_at: 2025/01/07 18:15 |
| 6 | +integrations: General |
| 7 | +level: Beginner |
| 8 | +estimated_time: '40 mins' |
| 9 | +description: 'In this tutorial, we will demonstrate how to set up Just-in-Time (JIT) access using the Bytebase GUI connecting to Amazon Aurora.' |
| 10 | +--- |
| 11 | + |
| 12 | +In modern database management, when an incident occurs, developers often need quick access to production databases to troubleshoot and resolve the issue. However, traditional methods, such as using static passwords, can pose security risks and complicate management. For Amazon Aurora, AWS IAM authentication provides a solution by enabling temporary, secure access without the need for password rotation. |
| 13 | + |
| 14 | +But there’s a more flexible and professional approach to manage database access while maintaining robust security: Bytebase. |
| 15 | + |
| 16 | +Bytebase is a modern, web-based database management tool that simplifies the database administration process. By offering a user-friendly interface, Bytebase makes managing complex database environments—both on AWS and beyond—easy and professional. It supports a wide range of databases and enables granular control over access permissions. |
| 17 | + |
| 18 | +In this post, we demonstrate how to configure Just-in-Time (JIT) access to Amazon Aurora via Bytebase, allowing developers to quickly connect and troubleshoot production databases in a secure and efficient way. We’ll walk you through the steps to set up AWS IAM authentication in Bytebase, giving you both flexibility and security when managing access to your Aurora databases. |
| 19 | + |
| 20 | +By the end of this guide, you'll understand how to streamline access management in Bytebase while maintaining high security and flexibility. |
| 21 | + |
| 22 | +## Solution Overview |
| 23 | + |
| 24 | +The following diagram illustrates the configuration of Bytebase connecting to Amazon Aurora MySQL. |
| 25 | + |
| 26 | +  |
| 27 | + |
| 28 | +1. Install Bytebase via Docker in an EC2 instance. |
| 29 | +1. Use Amazon Aurora PostgreSQL as the metadata database. |
| 30 | +1. Connect to Amazon Aurora MySQL via AWS IAM authentication. |
| 31 | + |
| 32 | +### Why use AWS IAM authentication over password authentication? |
| 33 | + |
| 34 | +While adding connection to Aurora MySQL, Bytebase provides both password and AWS IAM authentication. |
| 35 | + |
| 36 | +1. **Stronger Security**: Uses temporary tokens instead of static passwords, eliminating storage and rotation risks. |
| 37 | +1. **Simplified Management**: Centralized control through IAM, with dynamic permissions and seamless AWS service integration. |
| 38 | +1. **Scalability**: Ideal for cloud-native and multi-region deployments. |
| 39 | +1. **Compliance**: Provides granular control and audit logs via CloudTrail. |
| 40 | + |
| 41 | +### Why use Bytebase over granting AWS IAM user access to Aurora MySQL directly? |
| 42 | + |
| 43 | +Then you may ask, provided that AWS IAM can manage access to Aurora MySQL, why bother using Bytebase? |
| 44 | + |
| 45 | +1. **Simplified Management**: Bytebase provides a web-based GUI for database management, making it user-friendly, professional, and easy to navigate. |
| 46 | +1. **Flexible Access Control**: AWS IAM user access to Aurora MySQL typically involves granting full control over the database. Bytebase, on the other hand, allows you to grant fine-grained access—specific permissions for databases, tables, and even with expiration times—offering much greater flexibility. |
| 47 | +1. **Support for Multiple Database Types**: Bytebase supports a wide range of databases, both within AWS and beyond, making it a versatile solution for diverse database environments. |
| 48 | + |
| 49 | +## Prerequisites |
| 50 | + |
| 51 | +Before starting this tutorial, you will need: |
| 52 | + |
| 53 | +- An AWS account |
| 54 | +- An AWS Identity and Access Management (IAM) user with permissions to connect to Amazon Aurora |
| 55 | +- An EC2 instance with Docker installed |
| 56 | +- An Amazon Aurora PostgreSQL database for Bytebase metadata |
| 57 | +- An Amazon Aurora MySQL database to be managed by Bytebase |
| 58 | + |
| 59 | +## Set up AWS IAM for Aurora MySQL connection |
| 60 | + |
| 61 | +### Enable AWS IAM authentication for Aurora MySQL |
| 62 | + |
| 63 | +While creating Aurora MySQL instance, you need to enable AWS IAM authentication. |
| 64 | + |
| 65 | +  |
| 66 | + |
| 67 | +### Create IAM policy |
| 68 | + |
| 69 | +1. Go to IAM > Policies and click Create policy. |
| 70 | + |
| 71 | +1. Select `RDS IAM Authentication` for service. |
| 72 | + |
| 73 | +  |
| 74 | + |
| 75 | +1. Select `connect` permission and specific as **Resource**. Check `Any in this account.` |
| 76 | + |
| 77 | +1. Name it `rds-connect` and create this policy. |
| 78 | + |
| 79 | +### Create IAM user |
| 80 | + |
| 81 | +1. Go to **IAM > Users** and click **Create user**. Name it `rds-connector`. |
| 82 | +1. Choose `Attach policies directly` and select `rds-connect` policy. Click **Next** and then click **Create user**. |
| 83 | +1. On the user detail page, click **Create access key**, and choose `Application running on AWS compute service` as the use case. Because you will run Bytebase in EC2 instance. Click **Next**. |
| 84 | + |
| 85 | +1. Then you can save the `Access key ID` and `Secret access key` for later use. |
| 86 | + |
| 87 | +## Run Bytebase in EC2 instance |
| 88 | + |
| 89 | +1. Connect to the Aurora PostgreSQL instance and create a database `bb` for Bytebase metadata. |
| 90 | + |
| 91 | +1. Connect to the EC2 instance and run the following command to start Bytebase. Put your **AWS_ACCESS_KEY_ID**, **AWS_SECRET_ACCESS_KEY**, **AWS_REGION**, **PG_URL** in the command. |
| 92 | + |
| 93 | + ```bash |
| 94 | + docker run --init -d \ |
| 95 | + -e AWS_ACCESS_KEY_ID=AKIxxxxxxxxxxxxxxEB4 \ |
| 96 | + -e AWS_SECRET_ACCESS_KEY=axBAyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxQ7yUB \ |
| 97 | + -e AWS_REGION=ap-xxxxxxx-1 \ |
| 98 | + -e PG_URL=postgresql://postgres:xxxxx@database-pg-aurora-instance-1.ct4xxxxxxxx5.ap-xxxxx-1.rds.amazonaws.com:5432/bb \ |
| 99 | + --name bytebase \ |
| 100 | + --publish 8080:8080 --pull always \ |
| 101 | + bytebase/bytebase:3.2.0 |
| 102 | + ``` |
| 103 | + |
| 104 | +## Connect to Aurora MySQL via AWS IAM in Bytebase |
| 105 | + |
| 106 | +1. The first registration will be granted an **admin** role. Log in, click **Instances** on the left bar and click **Add instance**. |
| 107 | + |
| 108 | +1. Select **MySQL** as the database type. Fill in the following information and click **Create**. |
| 109 | + |
| 110 | + - Instance Name: `AWS Aurora MySQL Prod` |
| 111 | + - Environment: `Prod` |
| 112 | + - Host or Socket: `aurora-mysql-instance-prod.ctxxxxxxx5.ap-xxxxx-1.rds.amazonaws.com` |
| 113 | + - Port: `3306` |
| 114 | + - Connection Method: `AWS RDS IAM` |
| 115 | + - Username: `bytebase` |
| 116 | + - Database Region: `ap-xxxxx-1` |
| 117 | + |
| 118 | +  |
| 119 | + |
| 120 | +1. Click **Select Project** on the top bar and create a new project `Aurora MySQL Project`. |
| 121 | +1. (Optional) If you don't have any existing databases in the aurora mysql instance, you can check the [employee small sample data](https://github.com/bytebase/employee-sample-database/tree/main/mysql/dataset_small) and import them into the instance first. |
| 122 | +1. Click **Database > Databases** on the left bar, and then click **Transfer in DB** to transfer in existing databases, for the sample data, it's `employee`. |
| 123 | +1. Click **SQL Editor** on the top bar, connect to the `employee` database. Double click the `employee` database and you'll see the data. |
| 124 | + |
| 125 | +  |
| 126 | + |
| 127 | +## Register a developer and gain access to the production database |
| 128 | + |
| 129 | +### Step 1 - Register a developer |
| 130 | + |
| 131 | +1. By default, the `(workspace) admin` has the full access to the database. Click **IAM&Admin > Users&Groups** on the left bar, and then click **Add user**. |
| 132 | + |
| 133 | +1. Create a user `dev` with the role `Project Developer`. This project-level role will be applied to all projects automatically. |
| 134 | + |
| 135 | +1. Log in as the user `dev`, click **Select Project** on the top sidebar, and choose `Aurora MySQL Project` |
| 136 | +1. Click **Database > Databases** on the left bar, you should see two database `employee`. |
| 137 | +1. Click **SQL Editor** on the top bar, connecting to the `employee` database is impossible. Because it's **Community Plan**. |
| 138 | + |
| 139 | +### Step 2 - Admin assign you access to the production database (Community and Pro Plan) |
| 140 | + |
| 141 | +In Bytebase **Community** and **Pro Plan**, the Admin/DBA can assign developer access to the production database. |
| 142 | + |
| 143 | +1. Login as the `admin` user, go into `Aurora MySQL Project`, click **Manage > Members** on the left sidebar. |
| 144 | + |
| 145 | +1. Click **Grant Access**, select the developer `dev`, select the `SQL Editor User` role, then set 1 day Expiration, and click **Confirm** button. Here you may notice in **Community Plan**, you can only set access to all databases in the project. |
| 146 | + |
| 147 | +  |
| 148 | + |
| 149 | +1. After the access is granted, log in as the `dev` user again, you now have access to the production database in SQL Editor. After one day, the access will expire automatically. |
| 150 | + |
| 151 | +  |
| 152 | + |
| 153 | +### Step 3 - Request JIT access to the production database (Enterprise Plan) |
| 154 | + |
| 155 | +In Bytebase **Enterprise Plan**, you can request a JIT access to the production database. |
| 156 | + |
| 157 | +1. Login as `admin` user, go into `Aurora MySQL Project` and revoke the `dev` user's access to the production database. |
| 158 | + |
| 159 | +1. Upgrade to the **Enterprise Plan**. You may request a 14-day trial from [here](https://www.bytebase.com/contact-us/). |
| 160 | + |
| 161 | +1. Click **CI/CD** > **Custom Approval** on the left sidebar. Assign licenses to the aurora mysql instance to enable this feature. |
| 162 | + |
| 163 | +  |
| 164 | + |
| 165 | +1. Scroll down to **Request Querier Role** section, add `high` risk an approval flow `Project Owner`. |
| 166 | + |
| 167 | +  |
| 168 | + |
| 169 | +1. Click **CI/CD** > **Risk Center** on the left sidebar. Define a High risk policy for `Request Querier Role` which triggers when the environment is `Prod`. |
| 170 | + |
| 171 | +  |
| 172 | + |
| 173 | +1. Login as the `dev` user again, then go to SQL Editor page. Click **Connect to a database** or **Select a database to start**. You should see the `hr_prod` and `hr_test` databases listed, click **Request query** to request a JIT access. |
| 174 | + |
| 175 | +  |
| 176 | + |
| 177 | +1. Another way is to go to **Database > Databases** page, click **Request Querier Role**. |
| 178 | + |
| 179 | +1. In the **Request Querier Role** modal, choose **Manually select**, then `employee` `salary` and `title` under `hr_prod` database, and click **OK** button. Here you may also specify the expiration time which can be a specific time, or relative time from now. |
| 180 | + |
| 181 | +  |
| 182 | + |
| 183 | +  |
| 184 | + |
| 185 | +1. An request issue will be created, switch to the project owner (the admin user), go to **Issue** page, you should see the request issue. Click **Approve** button to approve the request. |
| 186 | + |
| 187 | +  |
| 188 | + |
| 189 | +1. Switch back to the `dev` user, go to **SQL Editor**, you should be able to query from `employee` table. If you query from other tables, you will get errors and suggest to request a JIT access. |
| 190 | + |
| 191 | +  |
| 192 | + |
| 193 | +1. After the `dev` user get the access, he can solve the incident. The admin user can revoke the access directly from the **Manage** > **Members** page or wait for the access expiration. |
| 194 | + |
| 195 | +## Conclusion |
| 196 | + |
| 197 | +In this tutorial, we demonstrated how to set up Just-in-Time (JIT) access using the Bytebase GUI connecting to Amazon Aurora MySQL. We also discussed the benefits of using AWS IAM authentication over password authentication and how Bytebase can provide a more flexible and professional approach to managing database access while maintaining robust security. |
| 198 | + |
| 199 | +By following these steps, you can streamline access management in Bytebase while maintaining high security and flexibility. |
0 commit comments