Need to access RdS database with iam role for master username and master password. I can use IAM role for database user. Any suggestions?
By definition iam authentication opposes pass authentication.
You could to it for the master role by granting it the rds_iam role inside of your db, but it will have all the rights granted to it.
If you want to do it for another role you can, you have to create a user/role in the local database and grant it the rds_iam role (or its equivalent in other db engine than postgres) and enable iam authentication on your rds instance or cluster, and then configure an iam role+policy to make this work.
To connect to the db with iam though you will in fact need the username (if you have done this for the master account then it will be the master username and if you have done it for another created user, it will be its username), but the password have to be a token generated with aws rds command or others ways, to connect via iam there is no need of a password, its password-less :)
here is a link you can follow:
https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam
Related
I am new to SQL Server authentication methodologies. I am trying to learn to create a read-only user who can access Azure SQL data from Power BI. I have followed the steps and created a login and user as suggested in this post. I am able to login to the database using 'login' and password as suggested here.
My concern is, as I created the user and assigned him the role of the 'db_datareader'; how does this guarantee that I can't modify something in another database(as there can be multiple user associated with login with a different role)? Is there any way I can directly login to the database using username?
About concerns:
My concern is, as I created the user and assigned him the role of the 'db_datareader'; how does this guarantee that I can't modify something in another database(as there can be multiple user associated with login with a different role)? Is there any way I can directly login to the database using username?
As we know, when we create the read-only user, we need follow bellow steps:
Create the Login in master DB.
Create the read-only user in user DB and mapping to the login.
Alter the 'db_datareader' role to the read-only user.
For Azure SQL database, the Login is used to login the Azure SQL Server and the user to access the database.
We can not alter database role to the login, it must be user level.
One login for one user. If you only grant the 'db_datareader' role to the user, it will be the read-only user for the current database.
For example, if the user "A" is created in database A, it only has the access permission to database A. If you only grant the 'db_datareader' role to the "A", it will be the read-only user.
Ref: https://learn.microsoft.com/en-us/azure/azure-sql/database/logins-create-manage
Hope this helps.
Currently, I am a server admin on an Azure SQL server. When I create an azure function app and connect to a database (on the server) I have to specify a sql connection string from the app. The connection string will use my username and password.
I want to change this so that the server admin is an active directory group (development group or something). Microsoft support told me I can not set a password to an active directory group. How do I create the connection string without a password? Or do I have to create an office 365 account with a development identity so I can set a development user and development password?
In Sql server management (ssms), the server admin is listed under the security directory. I have been using the server admin username and password to connect to the database from azure function apps.
Now I created a user called Development on ssms like this:
USE CompanyDatabase
CREATE LOGIN Development
WITH PASSWORD = 'password';
GO
I tried using the development login as parameters in my connection string and got this error:
Exception has been thrown by the target of an invocation. .Net SqlClient Data Provider: The server principal "Development" is not able to access the database
You have only created a LOGIN so far with the command that you mentioned.
Next step is to create the USER which will use this login and then assign some permissions to that user. I have given an example with db_datawriter, but you can choose something different like db_datareader or db_owner etc.
CREATE USER [Development] FROM LOGIN [Development]
EXEC sp_addrolemember 'db_datawriter', 'Development';
Also on a side note, Azure SQL Database supports contained database user model, where you don't need to create a server level login first and then a user based on it, instead you directly create a user which is contained only in that database. There are some pros and cons to using this model. You can get more information about it here -
https://learn.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-2017
I want to set up a web service which will manage few resources on a user's behalf (on his own AWS account).
So basically, after a user logs in, he will provide my service with proper permission to access his account. I've noticed similar services (https://www.dashbird.io/), which instruct you on how to create a proper role, but I'm not sure on how to actually use the role. How to login on his behalf (there is no token nor password).
I'm using node.js, but other examples will help as well.
Thanks.
Your application will need valid credentials to access resources in your customer's AWS Account. Theses credentials can be provided in various ways, but they would most probably be either:
Credentials for an IAM User in your customer's account, or
An IAM Role in your customer's account, which they have configured to allow you to assume
IAM User
This is the simplest method. Your customer would create an IAM User and provide it with appropriate permissions. They would then supply your application with the Access Key and Secret Key associated with the User.
Your application would use those credentials when establishing a session with AWS services.
IAM Role
Your customer would create an IAM Role and provide it with appropriate permissions. Unlike an IAM User, an IAM Role does not have credentials. Rather, an AWS User assumes a Role. They are then provided with temporary credentials that can be used to use AWS services in that account.
Think of it like a Fire Warden -- if there is a fire in an office building, somebody temporarily assumes the role of Fire Warden, telling people what to do. When there's a fire, they have authority because they assumed the role. But when there's no fire, they have no authority to tell you what to do.
The customer would need to configure the Role to trust your Account, or a User in your account. They will then give you the ARN (Amazon Resource Name) of the Role. Your application then uses an IAM User in your own Account to call AssumeRole(). If that IAM User (or your whole account) is trusted, then you will receive back credentials for accessing your customer's account.
See:
Creating a Role to Delegate Permissions to an IAM User
AssumeRole
I have an Azure SQL Server with two databases for which I'm trying to use Azure Active Directory Integrated Authentication. One of these databases is critical and most of the users need to be granted only 'read' access for this database.
To add a new user with a 'Reader Role', I did the following:
Added the user with Reader role under Access Control(IAM) from the Azure portal.
The user wasn't able to connect after this step.
Then I tried adding the user using the following commands:
CREATE USER [name#domain.com] FROM EXTERNAL PROVIDER;
sp_addrolemember db_datareader, [name#domain.com];
The user is still not able to connect to the server using AAD Integrated Authentication. In both the cases I get an Anonymous Logon error.
Click to see the snip of the error message
Am I missing something? If not, is there any other way I can add users with specific permissions to the database?
Sorry for the delay, M.
Yeah, you've confused two different levels of access control; the IAM controls that you described (Reader role assignment) allows a user to view (read) the settings in the Azure Portal. Instead, I suspect you want a user (AAD authenticated) to be able to only read the data on the server. That's done via T-SQL and has nothing to do with the Access Control defined by the portal.
Now, you're attempting to create an external user (AAD access) on the database level, and you want them to have read permissions- make sure you've covered all the steps outlined here.
At a glance, the following may be necessary steps:
1.) Ensure that you've assigned an AAD admin for the SQL Server.
2.) Ensure that you're connecting to the database you want to create the users on, not the master db as you ordinarily would on a non-azure SQL Server instance. Create the user via T-SQL using the following:
CREATE USER <Azure_AD_principal_name> FROM EXTERNAL PROVIDER;
3.) Grant the user db_datareader permissions on that database:
ALTER ROLE db_datareader ADD MEMBER <Azure_AD_principal_name>
GO
I have two users (name#company.com) in our Azure AD that have been granted owner permissions to an Azure server via the Azure portal.
First, is it possible to create a login that links/pulls from Azure AD for these login credentials? I've searched and haven't found a specific answer to this, though my suspicion is no.
Second, I have created logins/users for the same database, however, while access to the server is fine, access to the database is denied. I have granted connect to the logins as well as executed sp_addrolemember as datareader to each for the database. In double checking my work, I had referenced several examples that show the same syntax I'm using for Azure logins/users, and yet access is still denied.
Any help would be appreciated.
Steve.
Code:
CREATE LOGIN [login_name]
WITH PASSWORD = N'password'
CREATE USER [user_name]
FROM LOGIN [login_name]
WITH DEFAULT_SCHEMA = dbo
GO
GRANT CONNECT TO [user_name]
EXEC sp_addrolemember 'db_datareader', 'user_name'
First, is it possible to create a login that links/pulls from Azure AD
for these login credentials? I've searched and haven't found a
specific answer to this, though my suspicion is no.
No. In Azure SQL Database you can only use users and logins created in Azure SQL Database - SQL Login.
Second, I have created logins/users for the same database, however,
while access to the server is fine, access to the database is denied.
I have granted connect to the logins as well as executed
sp_addrolemember as datareader to each for the database. In double
checking my work, I had referenced several examples that show the same
syntax I'm using for Azure logins/users, and yet access is still
denied.
Logins should be created in the Master db, while the users, grants and sp_addrolemember should be executed in the context of the targeted DB. If you executed sp_addrolemember in the Master database, your user will not have access to the targeted db.
Also, something important, when you try to connect to the DB with the new logins (and please note that to login to the db you use the login not the user), you have to explicitly select the database to which this new user has access!
My wild guess is that you have executed the create user, grantand sp_addrolemember in the context of your master database. Thus these users now have only access to the master database. You cannot grant explicit grants to other database when you are in the context of master.
It is possible to access Azure SQL DB with Azure AD users:
https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/
You can't use AD users to login to SQL server. Logins has to be created in the master database and you need to use that login to create user and permission grants by connecting the user database. However SQL DB V12 supports contained user where you don't need to create logins in the master any more. The login can be executed in the user database context itself and this will be very helpful if you setup Geo Replication for ( restore using Point in time restore feature of) for your database in Azure. Based on my experience, I would recommend contained users in Azure database.