Revathi Joshi
Posted on February 5, 2023
This is in continuation of my 1st article, where we have created and connected to an Amazon RDS MySQL Database via EC2 instance.
In this article, I am going to show you how to create an RDS Proxy and connect it to an already existing Amazon RDS MySQL Database.
Please visit my GitHub Repository for Aurora articles on various topics being updated on constant basis.
Let’s get started!
Objectives:
6. Store database credentials in AWS Secrets Manager
7. Create IAM role and policy
8. Create an RDS Proxy
9. Connect to RDS database through RDS Proxy
10. Clean up
Pre-requisites:
- AWS user account with admin access, not a root account.
- Cloud9 IDE with AWS CLI.
Resources Used:
Steps for implementation to this project:
6. Store database credentials in AWS Secrets Manager
- RDS Proxy accesses a database thru secrets which are stored in AWS Secrets Manager.
These secrets are nothing but the database user credentials like username and password.
Go to the Secrets Manager section of your AWS Management Console and choose
Store a new secret.
In the Select secret type box, choose Credentials for RDS database.
Then, type the
user name and password
that you used when creating your RDS database.Choose the corresponding RDS database -
database-1
for the secret to access.Choose Next.
Secret name -
rdssecret
and description section, give your secret a name and description so that you can easily find it later.Then, choose Next.
Choose the Disable automatic rotation option, and
Then choose Next.
Secrets Manager console shows you the configuration settings for your secret and some sample code that demonstrates how to use your secret.
Scroll to the bottom of the page and choose Store to
save your secret.After creating the secret, the Secrets Manager page displays your created secrets.
Choose your
rdssecret
.In the Secret details box, it displays the
ARN of your secret.
Copy this value, as you need it later in this tutorial.
7. Create IAM role and policy
Thru an IAM role with an attached policy, RDS Proxy accesses to the secrets you created in AWS Secrets Manager.
Create role
Select your use case,
choose RDS - Add Role to Database, and
choose Next:
Add Permissions
create policy
create policy and select the JSON tab.
Delete the existing policy statements.
Substituting your secret ARN value for the example listed below. - Then, choose Review policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:CreateSecret",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": [
"your_secret_ARN"
]
}
]
}
Review policy section, give your policy a name
rds-policy
and description so that you can easily find it later.Then, choose Create policy.
next, next - review
name
rds-policy
Go to the previous window
Next
Choose Roles and then choose Refresh.
Next
role - name ---->
rds-role
Review section, give your role a name and description so that you can easily find it later.
Then, choose Create role.
confirm role with policy
8. Create an RDS Proxy
- Go to the RDS console. In the RDS navigation pane, choose Proxies,
then Create proxy.
-
In the Proxy configuration section, do the following:
- For Proxy identifier, give the proxy a name -
rds-proxy
- Leave the Idle client connection timeout as the 30 minutes.
- Target group configuration section, for Database, choose the RDS MySQL DB instance -
database -1
(This RDS DB instance is the same instance you verified connectivity to in Step 5.) - For Connection pool maximum connections, keep the default value of 100.
- For Proxy identifier, give the proxy a name -
-
In the Authentication section, do the following:
- For Secrets Manager secret, choose the secret you created in Step 6. -
rdssecret
- For IAM role, choose the role you created in Step 7. rds-role
- For IAM Authentication, keep the default setting of ---> Not Allowed (This tutorial uses DB credentials to connect with the RDS Proxy so IAM Authentication is not used.)
- For Secrets Manager secret, choose the secret you created in Step 6. -
-
In the Connectivity section, do the following:
- Clear the Require Transport Layer Security check box.
- For Subnets, choose a minimum of two subnets in different Availability Zones.
- Expand Additional connectivity configuration, and for VPC security group, choose the existing
rds-sg
for security group.
In the Advanced Configuration section, keep the Activate selection for Enhanced logging.
choose Create proxy.
-
You will see this message while
rds-proxy
is being created.- Creating RDS Proxy
rds-proxy
for databasedatabase-1
. Your proxy might take up to 20 minutes to create and become available. A secret in Secrets Manager and an IAM policy that accesses the secret for use with this proxy have been created. To view these resources, check the proxy's details page.
- Creating RDS Proxy
Wait for the proxy status to change from Creating to Available, then select the proxy.
Proxy configurations section, make a note of the Proxy endpoint and confirm all other parameters are correct.
rds-proxy endpoint
rds-proxy.proxy-cgizjtuyxkda.us-east-1.rds.amazonaws.com
9. Connect to RDS database through RDS Proxy
On EC2 console, choose
myec2
instanceChoose Connect.
Or ssh into
myec2
sudo su
yum install mysql
mysql -h <proxy endpoint> -P 3306 --user=admin --password
mysql -h rds-proxy.proxy-cgizjtuyxkda.us-east-1.rds.amazonaws.com -P 3306 --user=admin --password
When prompted, type your password and press Enter.
A message showing that you have successfully connected to the RDS DB instance.
10. Clean up
Delete RDS Proxy
Delete secret
Delete IAM role and policy
Delete other resources, such as EC2 instance, RDS instance, and corresponding security groups
What we have done so far
- We have successfully demonstrated connecting to an existing Amazon RDS MySQL Database via RDS Proxy.
Posted on February 5, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.