AWS RDS PostgreSQL
Creating a local user for gathering database-level metadata
When connecting an AWS account to Veza, the recommended IAM policy includes permissions to discover PostgreSQL instances and clusters on RDS. To gather additional metadata, Veza will need to be able to execute database commands as a local user, as described in this document.
Prerequisites
AWS IAM DB Authentication must be enabled
You will need administrator privileges to create the local user, which will be used to connect at runtime
An Insight Point is recommended for RDS PostgreSQL discovery.
The Insight Point egress IP must be allowed in the RDS security group inbound rules.
Using an Insight Point is recommended when connecting to production environments. For testing purposes, you can use the internal Insight Point, assuming that firewall rules allow communication with Veza.
Granting Veza Access
There are two options to allow Veza access to RDS PostgreSQL databases, depending on whether your instance configuration has revokedpublic
privileges for the pg_catalog
schema, as is a common security practice.
A) If you if you have not revoked the default public
privileges on your schema, you only need to create the user and grant the rds_iam
privilege:
B) If you have revoked the default privileges from your schema, you should instead run the following command to create the user and grant select permissions for the required tables:
Verify that the RDS PostgreSQL DB User specified in the Veza IAM policy for the integration is the same as the local database user you create, for example:
"Resource": "arn:aws:rds-db:us-east-1:123456789:dbuser:*/<my_veza_db_user>"
Note that in the current release, the local username must be the same for all the RDS PostgreSQL resources to discover. You can specify this RDS PostgreSQL DB User name when configuring an AWS account.
The next time Veza connects to the AWS account, the database will be registered and appear under "Discovered Data Sources" on the Administration > Configuration > Apps and Data Sources tab.
IAM Policy for RDS Discovery
The following sections must be included in your Veza IAM policy. Update the bracketed values to contain your actual region, account ID, and the database username you specified when adding the AWS account.
Last updated