jfxyu (jfxyu) asked a question.
Hi,
AWS RDS has the capability to manage user access via IAM policy. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
Currently, we have 4 SAML User Roles that map to an AWS IAM role in each account. All AWS users fall into one of the four roles.
We want to implement IAM database access to RDS over managing users manually in the cluster. We require fine grained access controls for grants of privileges to our databases. Our current inclination is to provide some cookie cutter RO and RW grants mapped to a user in the cluster and AWS IAM policy role that is mapped to a particular SAML User Role in Okta. However, we know there will be outliers and users that require additional privs that what would be provided in the RO and RW roles. This will result in several more AWS IAM roles as well as SAML User Roles in Okta. We are trying to avoid having dozens of roles. Any advice would be great. Thanks!
Hi Christopher, My name is Valentin and I'll assist with this query.
At this time, Okta can grant access to AWS using AWS roles only. When an user signs into AWS, can either have an AWS role assigned to them or choose from multiple AWS roles available to them.
If I understood correctly, you need a way to cumulate different roles for example have an user sign in with both AWS Role1 that grants access to database1 and AWS Role2 that grants access to database2. This functionality is not supported at this time.
You would need to create a Role12 in AWS that grants access to both database1 and database2 and the user would have to sign in using the Role12 for AWS sign in.