I have some trouble concerning the RDS / Managed AD connection:
I've set up the AWS Managed Microsoft AD and added some users.
Then, I've set up an MS-SQL Database in RDS.
Now, while accessing it via SQL Server Management Studio works flawlessly I simply cannot add the AD users I've created.
I get the following error: The program cannot open the required dialog box because it cannot determine whether the computer named "Network Name Resource" is joined to a domain
Looking at the AD, I can see that the RDS instance is indeed missing.
How can that be? In the RDS console I can it clearly being attached to the Domain?
Have searched this issue for quite some time and hope someone can help me out here...
You must be signed into SSMS via domain account with privileges to add/modify users' logins for that search box to work.
Furthermore, it is non-obvious but you can confirm that your RDS instance is in the domain by using ADAC or ADUC and looking under: AWS Reserved > RDS
Related
I am working on a project where a user clicks a link/button that says Access VM on a webpage, it should internally spin up a Linux based VM (using GCP, AWS or Azure) and provide the VM terminal in a new browser tab for the user to play around in the VM.
How can I achieve this using GCP/AWS/Azure? Which type of VM should I create so that the user can access the VM terminal over a browser without using an SSH client?
I tried creating a VM on Azure and explored the Bastion option. But this Bastion session should always be initiated from within the Azure portal.
Do we have any other option within GCP, AWS or Azure to achieve this?
I am looking for something similar to katacoda website.
There's no built in feature in GCP that will allow such thing possible. There is a button "SSH" in the VM's list but you have to be able to view the list and also have the permission to connect to the instance. But that requires to actually log into GCP which I believe is not what you want.
**You could try and built some solution that after clicking an "Connect" button you your website would send a series of commands to GCP's API to create & connect to the new isntance. It's possible but rather complicated.
Have a look at the documentation how to connect to VM using browser - maybe it will give yolu some ideas.
Ultimately use many other 3rd party tools but you still need to provide an address and credentials - additionally you rely on a service that you don't control so you have to take security (and reliability) into consideration.
At the end you may also consider going through general information how to connect to GCP's instances.
When using the Google Cloud SQL instance, SSL can be enabled using the Server Certificate server-ca.pem downloaded from the Google Cloud SQL instance's Connections section. The Server Certificate seems to be only for a single instance. If I have multiple instances I will need to download and use multiple Server Certificates.
Is there a way to upload or customize the Server Certificate of the Google Cloud SQL instances that I am using? My goal is to use a single Root CA Certificate that can connect to all the Google Cloud SQL instances that I have. I read through the Google documentation and still not able to clearly understand whether it is possible. Appreciate any input from the community.
Example, for Amazon RDS, it supports a root certificate that works for all AWS Regions. I would like to understand whether there is something similar Google Cloud SQL is using.
Currently this is not possible. You can only manage client certificates as you mentioned. I found this Feature Request(FR) in the Public Issue Tracker. I would recommend you to "star" it to ensure that you receive updates about it. You can also adjust notification settings by clicking the gear icon in the top right corner and selecting settings.
The FR are evaluated by the number of users being affected by that. The more stars it have, the more possibilities to be developed it has.
In the end I don't think that having all the Instances with the same Certificate should be the best path to follow. I understand that this could help to reduce the amount of sensitive data managed, but in the end you "would never put all its eggs into one basket". This could be risky.
we have a Windows EC2 instance created. We have a need to remote desktop into the instance occasionally to execute a PowerShell script that updates Microsoft's Power BI Gateway. This is all implemented in a sandbox environment. We're looking at steps/actions to implement in a production environment. From research, I have found that we need to have a different key pair for each user. I think this makes sense. But, the logistics of implementing this is beyond my knowledge. I have some basic questions that perhaps can help steer me in the right direction:
How do I generate a key pair for each user? Where would these be maintained? How do I assign the key pair by user? Do I need to create a new user in the IAM console?
Is there a way to rotate the key pairs?
An instance can only have a single key pair associated with it at a time. Does this mean that after each use, I should detach my key pair and the next user needs to attach their key pair? This all seems very manual.
This is the first I've had to deal with virtual servers and security management of said server. But, it seems that AWS would offer a service that automates this process?
Thank you.
Use AWS Systems Manager Run Command to automate common admin tasks across your EC2 instances.
When a Windows Amazon EC2 instance is launched, a random Administrator password is generated.
This password is then encrypted using the keypair selected when the instance is launched. You can access it via "Get Windows Password", and supplying the keypair.
Once you login, you are welcome to change the Administrator password or connect the instance to Active Directory.
You can also create additional Windows logins for your other users.
So, your choice is to either "share" a login for whoever needs to run the script, or give them each their own Windows login and their own password.
I also like #jarmod's idea of using the Systems Manager Run Command to execute a script without logging in!
I just don't understand that why AWS RDS SQL SERVER does not allow any admin level rights to perform. It simply says I do not have permission. I logged in using master username and password.
EXEC sp_addmessage #msgnum = 60000, #severity = 16,
#msgtext = N'The item named %s already exists in %s.',
#lang = 'us_english';
GRANT CONTROL SERVER TO [adminUser];
I am finding pretty hard to figure out , how to deal with this.
This is forcing me to not to use AWS nemore.
RDS is a managed service provided by AWS. The whole point of RDS is that they manage the server for you. In order to ensure they are able to properly manage it, you do not have full admin rights to the server. They give you enough control that they think you require.
If you need more control, or you feel these restrictions are too limiting, then RDS may not be the service for you.
This is for anyone still looking for the solution, probably RDS parameter group will help you. you can update some of these configurations from AWS console with the RDS parameter group. See this article:
https://www.mssqltips.com/sqlservertip/5329/setting-sql-server-configuration-options-with-aws-rds-parameter-groups/
I need to create a new MySQL user with limited permission on an existing Amazon RDS instance. After encountering a couple error messages I was sort of able to do this using the official MySQL Administrator tool and the user now appears in the list. However, I'm unable to assign any schema privileges as all the users are greyed out. I'm logged in as the "master user" created when the instance was launched. Not sure where to go from here. I do have the RDS command line tools installed but wasn't able to track down anything there either. Ideas
Your best bet is probably to connect to the database with a mysql command line client and call the SQL commands to create a new user and assign him privileges.
For instance, you might run something like this:
mysql -u [your_master_username] -p -h YOURRDSENDPOINT.rds.amazonaws.com
CREATE USER 'jeffrey'#'%' IDENTIFIED BY 'somepassword';
GRANT SELECT ON [your_database].[some_table] TO 'jeffrey'#'%';
On windows you could use the mysql.exe client, wherever that is.
Useful Docs
AWS RDS security groups documentation (a common area of confusion): http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithSecurityGroups.html
User creation documentation: http://dev.mysql.com/doc/refman/5.5/en/create-user.html
Privilege granting documentation: http://dev.mysql.com/doc/refman/5.5/en/grant.html
I know this thread is a couple of years old and well I keep finding it so I wanted to get an update out about the AWS RDS and User Permissions.
You cannot use GRANT ALL for any user with an RDS. When you use the GRANT ALL statement you are also attempting to provide Global (as AWS Calls them Super Permissions) and with the way that the AWS RDS System is setup they do not allow assigning of Global Options to users.
You have to break out the Permissions to the following:
GRANT SELECT,INSERT,UPDATE,DELETE,DROP on
This will allow your user to be able to connect to the RDS once the security settings are setup to allow access from your EC2 Instances or from the Internet.
Hope this information helps anyone else that is running into the same issues that I was seeing with the AWS RDS Systems.
Waldo
I created like this:
CREATE USER 'jeffrey'#'localhost' IDENTIFIED BY 'somepassword';
GRANT SELECT ON mydatabase.* TO 'jeffrey'#'localhost';
But then, AWS rejected to login to that user. And I tried to change Admin privileges, but not success. And I change 'localhost' to '%' through mysql workbench. (or you can remove the user and recreate) like :
CREATE USER 'jeffrey'#'%' IDENTIFIED BY 'somepassword';
GRANT SELECT ON mydatabase.* TO 'jeffrey'#'%';
Then only I was able to loggin through this new user.
In addition:
Once you done this change, then your database allowed to connect from any ip. If you need to improve the security and restrict the accessing ip (Ex: if this is a staging database), you can set the bind-address in my.cnf file in your server.
bind-address = your.ip.add.ress
enter link description here
I had the most success using MySQL Workbench and executing raw SQL against RDS:
CREATE USER 'foo'#'localhost' IDENTIFIED BY 'password';
The bigger problem was permissions. Initially I tried:
Grant ALL on *.* to 'foo'#'localhost'
... which results in an Access Denied error.
Error Code: 1045. Access denied for user 'foo'#'%' (using password: YES)
The troublesome permission is "super" which RDS doesn't give me, and in turn I can't grant. As a result, I'm stuck doing permissions by hand:
Grant SELECT on *.* to 'foo'#'localhost';
Grant INSERT on *.* to 'foo'#'localhost';
Grant CREATE on *.* to 'foo'#'localhost';
I have used mySQL workbench and it works fine. just go to management/Users and Privileges, press "Add Account" button bottom left, and configure. You cannot give SUPER privileges, but most of the rest