I have a MySQL DB running in AWS RDS. I'm using IAM authentication. I was successfully able to use IAM authentication with normal users.
Now, I have a role called "Insight_Data_Processing". I'm creating Lambda functions that run under this role.
When trying to create a user for this role in the DB, I'm getting an error:
mysql> CREATE USER Insight_Data_Processing IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';
ERROR 1470 (HY000): String 'Insight_Data_Processing' is too long for user name (should be no longer than 16)
Now, role names cannot be changed (see Rename an IAM Role ). And I'm using this role for multiple related Lambda functions, so don't want to create yet another role.
Is there any workaround?
You got the parameters wrong. It should be
CREATE USER IDENTIFIED WITH AWSAuthenticationPlugin as '';
The local account can be anything
Related
I have a successful connection from Azure data Factory to my Azure Sql db .And I have set the AAD Admin as myself and also the UserManagedIdentity from the portal.
Now whoever use that UserManagedidentity in ADF can access the entire Sql DB.I need to restrict the access at Schema level, like X people should have access to X tables and Y people should have access to Y Tables.
So how can we achieve this through usermangedIdentity ,Can we set Schema level permissions via usermanagedidentity?
The managed identity has a corresponding user in SQL, so limit their permissions are you would any other user or group.
i.e.:
GRANT SELECT ON Employees TO UserManagedIdentity;
Admin overrides all other restrictions. So as long as a user is part of Server admin, he/she can have the entire access.
For your use case, you would need to remove the managed identity from the admin group DL, create a new user within the database and grant the new user required access
I found sample code from Microsoft docs but it doesn't seem to work.
If anyone has any insight that would be helpful.
Also the broad question is if that is even possible.
As the NodeJS uses Tedious library, it's not clear if Tedious is able to support AAD connection.
Sample code was taken from: https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-nodejs?tabs=windows
It has the code sample with type: azure-active-directory-msi-app-service which I think should work.
The error I am getting is 'Security token could not be authenticated or authorized.'
The managed-identity user is added to the resources, with permissions
The code was working after adding a 'reader' role for principle user in sql server.
The steps that are required to connect SQL Server through AAD - Managed identity for NodeJS project are as below:
Create sql-server with sql-server database in an azure resource.
Create an azure-web app within the same azure resource.
Create a principle user in the web app.
This can be done by going to the azure web app > Settings > Identity menu > System-assigned tab and turning on the toggle.
In the sql-db create the user with the same name as principle user that was created in step 3. The name is same as web-app.
Also assign db_reader, db_writer, and ddladmin roles to the user.
You may use the below script to create and assign role to the user. (One thing to consider if it fails to create the user, you might need to rename the app-service name as in my case it was not allowing me to create the User saying it already exists).
**CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<identity-name>];
ALTER ROLE db_datawriter ADD MEMBER [<identity-name>];
ALTER ROLE db_ddladmin ADD MEMBER [<identity-name>];**
Add the reader role to the principle user in the sql server. (The one that I was missing).
This can be done by going to the Sql server resource(in Azure)> Access control (IAM)
Select Reader and select member/user (principle user with the app name), and assign the role reader to that user/member.
After all these configuration part is done, use the code from microsoft docs. For me lower node version was not working so needed to upgrade the node version.(14 in my case).
https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-nodejs?tabs=windows
Also the connection was successful only in the deployed version.
Hope this is helpful !! :)
Normally in AWS and GCP, there are API calls to validate their assigned user permission levels.
Eg:- User has Cloud SQL Client role in GCP and if the API call is executed with permission cloudsql.instances.get, it will retrun whether the permission is granted or not.
So likewise is there any way to validate AZURE permission levles?
Currently it is only possible to list available permission
As a example it will return "*/read" and through this API it is given set of permissions
But my requirement is to validate the access level by passing the exact permission levles "Microsoft.Network/publicIPAddresses/read"
or to list all the exact set of permission sets
eg:-
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
I am trying to tighten up security on connecting to our Azure SQL database by creating custom roles and users, depending on what access to the database is needed. Most of our connections are done via Google Apps Script and have previously used the admin login.
I know it is good practice to not use the db_datareader / db_datawriter roles, but I'm having connection issues whenever I use a custom roles/ users and our scripts. The custom user accounts / roles work fine in SSMS but when I use our Google Apps Script I get:
Connection URL is malformed
I know the account is authenticating because if I use the wrong password I get a different error. Additionally, the script still works fine with the original database admin account and a test account I made assigned to db_datareader role. Accounts with db_datawriter roles work fine as well. So I believe this error message has nothing to do with the actual connection URL.
There seems to be some permission granted by db_datareader / db_datawriter that allows for external scripts to connect and run and I am unsure how to replicate that. Perhaps something that to do with querying a list of the tables that the account /role has access to?
Here is a screenshot of the custom role's permissions, I have omitted database and table names, but these are all on the same database and differing tables and scalar functions that the script needs:
new role permissions
Any idea of what I can try to replicate these 'built-in' roles?
Check that your custom role resides in database scope (Expand DB in SSMS -> Security...)
Ensure your user is an assignee of the role
Check your connection string references a database name
Set the default database for the user from the user properties pane
To get the permissions of a role you could use one of the scripts in this thread.
Problem
I have a Lambda function in Account 1, which retrieves EC2 instance status.
Similarly, I want to retrieve EC2 instance status in other 4 accounts.
What I did
I Created trust relationship with the other 4 account by updating the IAM role.
Question:
Will my python code (residing in my lambda function in account 1) is enough to retrieve ec2 instance status from the other 4 accounts? or should I do something more ?
Please suggest!
Thanks in advance.
Each AWS Account is separate. You cannot access details of one AWS Account from another AWS Account. However, you can temporarily assume an IAM Role from another account to gain access.
Instead, you will need to:
Create an IAM Role for the central Lambda function (Lambda-Role) and grant it permission to call AssumeRole
Create an IAM Role in each account that you wish to access, grant it permission to call DescribeInstances and configure it to trust Lambda-Role
The Lambda function can then loop through each account and:
Call AssumeRole for that account, which will return temporary credentials
Use those credentials to call DescribeInstances