I can see there is a user from my aws rds console,
AWS Console -> RDS -> Databases -> Configuration -> Availability
But I forgot what was the password of this user? How can I see/ retrieve the password? Moreover how can I add new users for my existing database?
I think there is no way to recover the lost password, but you can Not sure you can recover, but you should be able to reset it.
Creating new uses is done from inside the db. You login as a root, and they you create new users with their passwords using db-specific sql statements for that. For instance for mysql you have CREATE USER statement.
Related
Most of you would have encountered the problem of creating db users for developers across multiple database (using common user is not allowed). We have around 90 DB's on AWS and 200-250 dev's. Everyday someone needs access to a database and this is manual and repetitive task.
I am looking for a solution to automate end-to-end lifecycle of user management, scripting or creating a terraform module are solutions which I already have in my mind, but how does other organization manage DB users at scale ?
I did look at AWS IAM authentication but I am not sure how can we grant fine grain access using IAM roles.
Cheers,
Fun Learn
The way I've done this is (high level);
Create your RDS Terraform Config / Module(s)
Create a sql file with the user & grant creations needed
Create a wrapper script that deploys terraform then connects to it to deploy your SQL file with user creation
Your wrapper script will need to use Terraform Outputs to get your newly created RDS Endpoint to connect to | Say you created an output called rds_endpoint in your terraform plan / config... This is how you grab it in bash terraform output rds_endpoint
Assuming your new RDS DB is not publicly accessible, your wrapper script will need to tunnel in through a bastion or some other instance that is publicly accessible with access to the DB. Example: ssh -oStrictHostKeyChecking=no -p 22 -i ~/.ssh/bastion-host-key.pem -C -N ec2-user#$bastion_ip -L 3306:$rds_endpoint:3306 &
Your wrapper script will need to use the RDS user & password you created with terraform as well to run the SQL File
In fact IAM authentication could be the key to do that.
What you can do is in fact create all you databases with terraform.
do not forget to enable iam authentication via your terraform module.
Once all you databases are created via teraform, you have to create local role(s) in all of theses databases (either via terraform using SQL script or still via terraform using modules that allow you to create user/roles, for postgresql you can use this module ) and you have to grant them the pre-created, existing, database role for iam (for example with postgresql its named "rds_iam")
The thing that is interresting with iam authentication is that all of your developper can connect using their account to aws and request a token that will be used as a password (the username will be the role you created before) and by doing this you create only one role, but each authentication is made by each developpers account.
If your company really needs you to create roles for each devs (even if the roles are exactly the same, It makes no sense since by definition, we ASSUME a role, so anyone can assume ONE role, this is not awful) you can then create a local database users (instead of a role) for all of your developpers in all of your database by using an SQL script that your terraform will execute.
Of course do not forget to grant the rds_iam existing role to either the unique role that will be used by all the developpers (in case you choose this solution) or to all the db users you created before.
You will have to manage IAM policy for all of theses users to be accurate regarding to the security (or use * in the policy to let all your developpers connect to all you db users lol)
and then your developpers will be able to use aws rds command to generate an auth token and connect to their local db user that will have to correct rights.
There is a hole bunch of informations and precisions here:
https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam
have a nice journey on aws
Good afternoon,
I am writing a front-end for a research database that holds sensitive health information. My institution has a policy that user actions be logged by the SQL server so that they can perform audits on the server log files in the event of a breach.
Because of this policy, I cannot connect Django to the db as a system user (otherwise, all users of the front-end actions would be logged by the server as the Django system user instead as the actual user individually).
Is there a way to connect to the DB using per user credentials so that actions performed on the front end will be logged as that user on the db server? I have been able to find a lot of information about using multiple databases, but nothing about per user authentication of those databases.
Thank you in advanced!
I don't think you can do that, the user that connect to the database need to have access to all the tables.
I had a similar issue when I wanted to use Django models outside Django and restrict access to certain models for certain users.
I ended up using SQLAlchemy and its automap feature on the existing Django database. Then you can connect to the database using your SQL users.
However, if you don't mind all the users accessing all the tables and are only concerned about the logs, maybe you can use a different settings.py or at least a different DATABASES configuration for each user?
I was able to accomplish this by giving the SQL user the IMPERSONATE permission and performing EXECUTE AS prior to the DB queries that I needed to have logged in models.py.
cursor = self.connection.cursor()
try:
cursor.execute("EXECUTE AS " + get_current_user()
except DatabaseError as e:
cursor.close()
raise e
I've recently created a App Service + SQL in my Azure account and I want to give access to some external user, maybe using SQL authentication with username and password. I know I must allow this user IP, but I cannot find where I can create credentials or a new user for him.
I've tried creating a new login and user using SQL statements but I can't access master database.
Is what I'm trying to do possible?
Thanks
There's no need to grant users access to Master. Instead connect to the target database as an administrator and simply add the user using CREATE USER
CREATE USER SomeUserName WITH PASSWORD = 'somestrongpassword123'
See generally Controlling and granting database access
Just created a new SQL database in Azure Portal, called 'mydatabase'. It automatically created a SQL login called 'mydatabaseweb' when the datasbe was created. Problem is, I can't seem to locate the password for this new login. Anyone know where this thing is? Or how to manage the logins via the portal?
Answer to this one here: Password reset for Azure database
Still not entirely certain how I missed that in the first place :/
I have created Winforms application which stores some sensitive data like username and password.
The system used by many users. I am using SQL Server Express for storing data.
The application downloads data from a remote server by sync framework. I want to create only one user for that database so I can sync that database.
My problem is that I want to hide the database from all users which are using the application and also from the sa & Windows authentication accounts. So no one can see the other usernames or passwords.
How can I do this?
If I understand well, be best way to do it is :
keep one administrative login (one login that is member of sysadmin). It will be you. You need at least one admin.
disable sa : ALTER LOGIN [sa] DISABLE;
for all other logins, add them as users in the database, but don't give them any permission. They won't be able to see anything
use an application role (which is deprecated) OR create a user without login and use EXECUTE AS (which is the new way to go): you can learn more about it here : http://msdn.microsoft.com/en-us/library/bb669062(v=vs.110).aspx and http://msdn.microsoft.com/en-us/library/bb669087(v=vs.110).aspx. That will allow you to set other permissions for your users only when the conect through the application.