IAM角色访问AWS RDS For MySQL
IAM角色访问AWS RDS For MySQL
Tips: 写这篇文章,主要是用作记录;在AWS配置IAM RDS 角色权限访问,官方文档不怎么全,踩了一些坑…
AWS云上配置
-
开启IAM身份验证
- 登录AWS控制台
- 搜索并进入Databases管理页面
- 选择数据库实例,点击修改按钮
- 在Database authentication部分,选择Password and IAM database authentication,启用IAM数据库身份验证
-
创建IAM Policy
- 搜索策略,创建策略,选择JSON配置; Resource指向的是 db实例/数据库账号
- 示例策略:
{"Version": "2012-10-17","Statement": [{"Sid": "Statement1","Effect": "Allow","Action": ["rds-db:connect"],"Resource": ["arn:aws-cn:rds-db:cn-northwest-1:xxxxxxxx:dbuser:cluster-xxxxxxxx/dbuser"]}] }
-
创建IAM角色并附加策略
-
创建一个角色,选择RDS,并附加上述策略
-
编辑新创建的权限,信任关系,指向session;即AWS那个字段,取值为个人账号arn
-
示例信任关系:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": "arn:aws-cn:iam::xxxxx:user/个人acount","Service": ["rds.amazonaws.com"]},"Action": "sts:AssumeRole"}] }
-
AWS Config 配置
- 新增role配置
- 登录到宿主机,进入
.aws目录 - 查看
config和credentials文件 - 在
credentials中配置IAM用户的accessId和accessSecret; config与 credentials 通过 profile {name} 匹配 - 在
config中新增相关配置:[profile prodaccess]role_arn = arn:aws:iam::xxxxxxxx:role/ProductionAccessRolesource_profile = default - 如果 default的credentials配置无role权限,请切换profile或者授权
- 登录到宿主机,进入
Role授权
- AWS上role信任实体配置
- 跳板机执行命令:
TIPS: 这里的rolename即是需要配置的roleaws sts assume-role --role-arn "arn:aws-cn:iam::xxxxx:role/rolename" --role-session-name 主账号 --profile profile
- 跳板机执行命令:
使用IAM身份验证创建数据库账户
- 创建数据库用户
- 需要与策略中的用户保持一致,用户名为
dbuser,可以换成自己的 - 命令:
CREATE USER 'dbuser' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; - 如果要开启SSL:
ALTER USER 'dbuser'@'%' REQUIRE SSL;
- 需要与策略中的用户保持一致,用户名为
命令行连通性验证
- 写入变量
- 设置RDS主机名:
export RDSHOST="rds-aurora-xxx.cluster-xxxx.rds.cn-northwest-1.amazonaws.com.cn" - 获取token:
xxxx_profile是自定义的profile名称,不加–profile 参数默认使用defaultaws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --region cn-northwest-1 --username dbuser --profile xxxx_profile - 将获取到的token写入变量:
export TOKEN="...token..." - 引用变量进行连接:
mysql --host=$RDSHOST --port=3306 --enable-cleartext-plugin --user=dbuser --password=$TOKEN
- 设置RDS主机名:
SpringBoot应用接入Datasource
- 新增配置
- 在
application.properties中添加:aws.rds.host=rds-aurora-xxxxx.cluster-xxxxx.rds.cn-northwest-1.amazonaws.com.cn aws.rds.port=3306 aws.rds.user=dbuser aws.rds.dbname=dbuser aws.region=cn-northwest-1 - 添加AWS SDK依赖:
<dependency><groupId>software.amazon.awssdk</groupId><artifactId>rds</artifactId><version>2.20.0</version> </dependency> - 剔除SpringBoot数据源配置文件注入,重新注入DataSource
- 在
package com.xxl.job.admin.core.conf;import com.zaxxer.hikari.HikariDataSource;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.rds.RdsUtilities;import javax.sql.DataSource;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;@Slf4j
@Configuration
public class DynamicDataSourceConfig {@Value("${aws.rds.host}") private String dbHost;@Value("${aws.rds.port}") private int dbPort;@Value("${aws.rds.user}") private String dbUser;@Value("${aws.rds.dbname}") private String dbName;@Value("${aws.region}") private String region;@Bean@Primarypublic DataSource dataSource() {log.info("[DynamicDataSourceConfig] create datasource start");String token = refreshIamToken();log.info("[DynamicDataSourceConfig] get token: {}", token);HikariDataSource dataSource = new HikariDataSource();dataSource.setJdbcUrl(buildJdbcUrl());dataSource.setUsername(dbUser);dataSource.setPassword(token);//TODO 验证可用性,可删除validateDataSource(dataSource);// 每10分钟刷新令牌// 临时凭证,默认有效期为15分钟ScheduledExecutorService scheduler = Executors.newScheduledThreadPool(1);scheduler.scheduleAtFixedRate(() -> dataSource.setPassword(refreshIamToken()), 10, 10, TimeUnit.MINUTES);return dataSource;}private void validateDataSource(HikariDataSource dataSource) {try (Connection conn = dataSource.getConnection();Statement stmt = conn.createStatement()) {ResultSet rs = stmt.executeQuery("SELECT 1");log.info("Database connection test succeeded");} catch (SQLException e) {log.error("Database connection test FAILED", e);throw new RuntimeException("Datasource validation failed", e);}}private String refreshIamToken() {return generateAuthToken(dbHost, dbPort, dbUser, Region.of(region));}private String buildJdbcUrl() {return String.format("jdbc:mysql://%s:%d/%s?" +"allowCleartextPasswords=true&useUnicode=true&characterEncoding=UTF-8"+ "&autoReconnect=true&serverTimezone=Asia/Shanghai"+ "&useSSL=false&requireSSL=false",dbHost, dbPort, dbName);}private String generateAuthToken(String dbHost, int dbPort, String dbUser, Region region) {//profile需做成环境变量//dev_mysql_auth_profile, 这里换成对应的profile名称,若没有自定义配置则设置为defaultAwsCredentialsProvider credentialsProvider =ProfileCredentialsProvider.create("dev_mysql_auth_profile");return RdsUtilities.builder().credentialsProvider(credentialsProvider).region(region).build().generateAuthenticationToken(b -> b.hostname(dbHost).port(dbPort).username(dbUser).region(region));}
}- 使用默认凭证链,自动获取Pod角色权限:
AwsCredentialsProvider
K8s secret 挂载映射
- 代码中使用:AwsCredentialsProvider
- 使用默认凭证链,自动获取Pod角色权限:AwsCredentialsProvider
官方文档
- 参考AWS官方文档以获取更多详细信息。
- 通用文档:https://docs.aws.amazon.com/zh_cn/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.Java.html
- 切换角色:https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html
- 信任授权:https://repost.aws/zh-Hans/knowledge-center/iam-assume-role-error