User Guide
Release Notes

AWS RDS PostgreSQL

Creating a local user for gathering database-level metadata

When connecting an AWS account to Veza, the recommended IAM policy includes permissions to discover PostgreSQL instances and clusters on RDS. To gather additional metadata, Veza will need to be able to execute database commands as a local user, as described in this document.

Prerequisites

  • AWS IAM DB Authentication must be enabled

  • You will need administrator privileges to create the local user, which will be used to connect at runtime

  • An Insight Point is recommended for RDS PostgreSQL discovery.

    • The Insight Point egress IP must be allowed in the RDS security group inbound rules.

    • Using an Insight Point is recommended when connecting to production environments. For testing purposes, you can use the internal Insight Point, assuming that firewall rules allow communication with Veza.

Granting Veza Access

There are two options to allow Veza access to RDS PostgreSQL databases, depending on whether your instance configuration has revokedpublic privileges for the pg_catalog schema, as is a common security practice.

A) If you if you have not revoked the default public privileges on your schema, you only need to create the user and grant the rds_iam privilege:

CREATE USER [db_user] WITH LOGIN;
GRANT rds_iam TO [db_user];

B) If you have revoked the default privileges from your schema, you should instead run the following command to create the user and grant select permissions for the required tables:

CREATE USER [db_user] WITH LOGIN;
GRANT rds_iam TO [db_user];
GRANT SELECT ON
  pg_catalog.pg_user,
  pg_catalog.pg_group,
  pg_catalog.pg_namespace,
  pg_catalog.pg_class,
  pg_catalog.pg_database,
  pg_catalog.pg_auth_members,
  pg_catalog.pg_attribute
TO [db_user];

Verify that the RDS PostgreSQL DB User specified in the Veza IAM policy for the integration is the same as the local database user you create, for example:

"Resource": "arn:aws:rds-db:us-east-1:123456789:dbuser:*/<my_veza_db_user>"

Note that in the current release, the local username must be the same for all the RDS PostgreSQL resources to discover. You can specify this RDS PostgreSQL DB User name when configuring an AWS account.

The next time Veza connects to the AWS account, the database will be registered and appear under "Discovered Data Sources" on the Administration > Configuration > Apps and Data Sources tab.

IAM Policy for RDS Discovery

The following sections must be included in your Veza IAM policy. Update the bracketed values to contain your actual region, account ID, and the database username you specified when adding the AWS account.

{
  "Sid": "RDS",
  "Effect": "Allow",
  "Action": [
    "rds:DescribeDBInstances",
    "rds:DescribeDBClusters"
    ],
  "Resource": "*"
},
{
  "Sid": "RdsDbConnect",
  "Effect": "Allow",
  "Action": [
    "rds-db:connect"
    ],
  "Resource": "arn:aws:rds-db:<region>:<account_id>:dbuser:<cluster-name>/<db_user>"
}
PreviousAWS RDS MySQLNextAWS Redshift

Last updated