i'm trying to rewrite my infrastructure to cdk, I want to create ECS cluster with rails app with RDS MySQL, but I don't want to allow rails to connect with admin credentials, so I need to create rails user in db with proper GRANTS, how can I add mysql user with credentials from SSM with specific GRANTS?
Related
My new RDS Postgres database is Active, but when I go to Secrets Manager, it is not available to select. What am I doing wrong?
Is it possible for an app bound to a service to update this service? Or is it something only an admin Cf can do ?
For instance, I would like to execute the following command
cf update-service test_db -c '{"data":{"serviceStopped":true}}'
What I have in mind: create an app bound to test_db to update the value of the dictionnary.
Is it possible for an app bound to a service to update this service? Or is it something only an admin Cf can do ?
Yes, but it requires credentials. The application on CF itself has no permissions, so you would need to supply the credentials of a user or client that has permissions that the application can use to update the service.
Any user or client that is in the same org and space as the service with the SpaceDev role will have access to update the service.
If you want to have an application make calls to the Cloud Controller, like to update a database, you can do that by embedding the cf CLI and invoking it, you can use a library like the cf-java-client, or you can use the REST API directly.
I have an app created in Django and React, but there are few problems that I am facing :-
As I will have a large database(postgres) exclusily for a single user, I am creating different AWS EC2 instance for every user.
Whenever there is a new user then I have to go and manually install postgres, setup nginx and other important things and this is just for Django in EC2. Then I setup ReactJS frontend in Amazon S3.
How can i automate this so that when a paid user signs up, everything happens automatically.
The following should happen automatically:
- Automatically create a new EC2 instance, and deploy backend (This including installing several libraries, Postgres, Redis, async task queue (We use Huey which is like Celery), making migrations and other trivial stuff)
- Automatically make an S3 bucket and deploy frontend for the user. We will have to setup domains .etc for this.
Would like to know your inputs on how to approach this problem.
I was successfully able to connect to RDS like any other database connection.
I use spring jpa data ( repository ) to do CRUD operation on postgres db.
currently I provide the db url and the credential in the properties file
spring:
datasource:
url: jdbc:postgresql://<rds-endpoint>:5432/<dbschema>
username: <dbuser>
password: <dbpassword>
However this is not an option while connecting to production or preproduction.
what is the best practise here.
Does AWS provide any inbuild mechanism to read these details from an endpoint like in the case of accessing S3 ?
My intention is not expose the password.
Several options are available to you:
Use the recently announced IAM access to Postgres RDS
Use Systems Manager Parameter Store to store the password
Use Secrets Manager to store the password and automatically rotate credentials
For 2 and 3, look up the password on application start in Spring using a PropertyPlaceholderConfiguration and the AWSSimpleSystemsManagement client (GetParameter request). SystemsManager can proxy requests to SecretsManager to keep a single interface in your code to access parameters.
IAM credentials is more secure in that:
If using EC2 instance profiles, access to the database uses short lived temporary credentials.
If not on EC2 you can generate short lived authentication tokens.
The password is not stored in your configuration.
If you have a separate database team they can manage access independent of the application user.
Removing access can be done via IAM
another generic option I found was to use AWS Secret Manager
(doc link)
RDS specific solution is to connect to DB Instance Using the AWS SDK using IAMDBAuth
I have everything setup and working with rolling deploys and being able to do git aws.push but how do I add a authorized key to EB server so my CI server can deploy as well?
Since you are using Shippable, I found this guide on Continuous Delivery using Shippable and Amazon Elastic Beanstalk that shows how to set it up on their end. Specifically, step 3 is what you are looking for.
It doesn't look like you need an authorized key, instead, you just need to give an AWS ID and AWS Secret Key that will allow Shippable to make API calls on your behalf. To do this, I recommend creating an IAM role that is specifically for Shippable. That way you can revoke it if you ever need to and only give it the permissions that it needs.