# Setting up database authentication and resource access using a script Setting up access using a script The setup script creates one customer-managed AWS KMS key, one AWS Identity and Access Management (IAM) role, and two AWS Secrets Manager secrets. Perform the following steps to use the setup script: 1. Make sure that you have the AWS CLI installed and configured with your AWS account credentials. 1. Install the `jq` command-line JSON processor. For more information, see [jqlang/jq](https://github.com/jqlang/jq). 1. Copy the [data\$1loading\$1script.zip](samples/data_loading_script.zip) file to your computer, and extract the `data_load_aws_setup_script.sh` file from it. 1. Edit the script to replace the placeholder variables with the appropriate values for the following: + Your AWS account + The AWS Region + Source database credentials + Destination database credentials 1. Open a new terminal on your computer and run the following command: ``` bash ./data_load_aws_setup_script.sh ``` ## Setup script for the data loading utility We provide the text of the `data_load_aws_setup_script.sh` file here for reference. ``` #!/bin/bash # Aurora Limitless data loading - AWS resources setup script # # Set up the account credentials in advance. # # Update the following script variables. # ################################### #### Start of variable section #### ACCOUNT_ID="12-digit_AWS_account_ID" REGION="AWS_Region" DATE=$(date +'%m%d%H%M%S') RANDOM_SUFFIX="${DATE}" SOURCE_SECRET_NAME="secret-source-${DATE}" SOURCE_USERNAME="source_db_username" SOURCE_PASSWORD="source_db_password" DESTINATION_SECRET_NAME="secret-destination-${DATE}" DESTINATION_USERNAME="destination_db_username" DESTINATION_PASSWORD="destination_db_password" DATA_LOAD_IAM_ROLE_NAME="aurora-data-loader-${RANDOM_SUFFIX}" TMP_WORK_DIR="./tmp_data_load_aws_resource_setup/" #### End of variable section #### ################################# # Main logic start echo "DATE - [${DATE}]" echo "RANDOM_SUFFIX - [${RANDOM_SUFFIX}]" echo 'START!' mkdir -p $TMP_WORK_DIR # Create the symmetric KMS key for encryption and decryption. TMP_FILE_PATH="${TMP_WORK_DIR}tmp_create_key_response.txt" aws kms create-key --region $REGION | tee $TMP_FILE_PATH KMS_KEY_ARN=$(cat $TMP_FILE_PATH | jq -r '.KeyMetadata.Arn') aws kms create-alias \ --alias-name alias/"${DATA_LOAD_IAM_ROLE_NAME}-key" \ --target-key-id $KMS_KEY_ARN \ --region $REGION # Create the source secret. TMP_FILE_PATH="${TMP_WORK_DIR}tmp_create_source_secret_response.txt" aws secretsmanager create-secret \ --name $SOURCE_SECRET_NAME \ --kms-key-id $KMS_KEY_ARN \ --secret-string "{\"username\":\"$SOURCE_USERNAME\",\"password\":\"$SOURCE_PASSWORD\"}" \ --region $REGION \ | tee $TMP_FILE_PATH SOURCE_SECRET_ARN=$(cat $TMP_FILE_PATH | jq -r '.ARN') # Create the destination secret. TMP_FILE_PATH="${TMP_WORK_DIR}tmp_create_destination_secret_response.txt" aws secretsmanager create-secret \ --name $DESTINATION_SECRET_NAME \ --kms-key-id $KMS_KEY_ARN \ --secret-string "{\"username\":\"$DESTINATION_USERNAME\",\"password\":\"$DESTINATION_PASSWORD\"}" \ --region $REGION \ | tee $TMP_FILE_PATH DESTINATION_SECRET_ARN=$(cat $TMP_FILE_PATH | jq -r '.ARN') # Create the RDS trust policy JSON file. # Use only rds.amazonaws.com for RDS PROD use cases. TRUST_POLICY_PATH="${TMP_WORK_DIR}rds_trust_policy.json" echo '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "rds.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }' > $TRUST_POLICY_PATH # Create the IAM role. TMP_FILE_PATH="${TMP_WORK_DIR}tmp_create_iam_role_response.txt" aws iam create-role \ --role-name $DATA_LOAD_IAM_ROLE_NAME \ --assume-role-policy-document "file://${TRUST_POLICY_PATH}" \ --tags Key=assumer,Value=aurora_limitless_table_data_load \ --region $REGION \ | tee $TMP_FILE_PATH IAM_ROLE_ARN=$(cat $TMP_FILE_PATH | jq -r '.Role.Arn') # Create the permission policy JSON file. PERMISSION_POLICY_PATH="${TMP_WORK_DIR}data_load_permission_policy.json" permission_json_policy=$(cat <<EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "Ec2Permission", "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfacePermissions", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeAvailabilityZones", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeNetworkAcls" ], "Resource": "*" }, { "Sid": "SecretsManagerPermissions", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": [ "$SOURCE_SECRET_ARN", "$DESTINATION_SECRET_ARN" ] }, { "Sid": "KmsPermissions", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": "$KMS_KEY_ARN" }, { "Sid": "RdsPermissions", "Effect": "Allow", "Action": [ "rds:DescribeDBClusters", "rds:DescribeDBInstances" ], "Resource": "*" } ] } EOF ) echo $permission_json_policy > $PERMISSION_POLICY_PATH # Add the inline policy. aws iam put-role-policy \ --role-name $DATA_LOAD_IAM_ROLE_NAME \ --policy-name aurora-limitless-data-load-policy \ --policy-document "file://${PERMISSION_POLICY_PATH}" \ --region $REGION # Create the key policy JSON file. KEY_POLICY_PATH="${TMP_WORK_DIR}data_load_key_policy.json" key_json_policy=$(cat <<EOF { "Id": "key-aurora-limitless-data-load-$RANDOM_SUFFIX", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::$ACCOUNT_ID:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "$IAM_ROLE_ARN" }, "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": "*" } ] } EOF ) echo $key_json_policy > $KEY_POLICY_PATH # Add the key policy. TMP_FILE_PATH="${TMP_WORK_DIR}tmp_put_key_policy_response.txt" sleep 10 # sleep 10 sec for IAM role ready aws kms put-key-policy \ --key-id $KMS_KEY_ARN \ --policy-name default \ --policy "file://${KEY_POLICY_PATH}" \ --region $REGION \ | tee $TMP_FILE_PATH echo 'DONE!' echo "ACCOUNT_ID : [${ACCOUNT_ID}]" echo "REGION : [${REGION}]" echo "RANDOM_SUFFIX : [${RANDOM_SUFFIX}]" echo "IAM_ROLE_ARN : [${IAM_ROLE_ARN}]" echo "SOURCE_SECRET_ARN : [${SOURCE_SECRET_ARN}]" echo "DESTINATION_SECRET_ARN : [${DESTINATION_SECRET_ARN}]" # Example of a successful run: # ACCOUNT_ID : [012345678912] # REGION : [ap-northeast-1] # RANDOM_SUFFIX : [0305000703] # IAM_ROLE_ARN : [arn:aws:iam::012345678912:role/aurora-data-loader-0305000703] # SOURCE_SECRET_ARN : [arn:aws:secretsmanager:ap-northeast-1:012345678912:secret:secret-source-0305000703-yQDtow] # DESTINATION_SECRET_ARN : [arn:aws:secretsmanager:ap-northeast-1:012345678912:secret:secret-destination-0305000703-5d5Jy8] # If you want to manually clean up failed resource, # please remove them in the following order: # 1. IAM role. # aws iam delete-role-policy --role-name Test-Role --policy-name ExamplePolicy --region us-east-1 # aws iam delete-role --role-name Test-Role --region us-east-1 # 2. Source and destination secrets. # aws secretsmanager delete-secret --secret-id MyTestSecret --force-delete-without-recovery --region us-east-1 # 3. KDM key. # aws kms schedule-key-deletion --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab --pending-window-in-days 7 --region us-east-1 ``` ## Output from the data loading utility setup script The following example shows the output from a successful run of the script. ``` % bash ./data_load_aws_setup_script.sh DATE - [0305000703] RANDOM_SUFFIX - [0305000703] START! { "KeyMetadata": { "AWSAccountId": "123456789012", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Arn": "arn:aws:kms:ap-northeast-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": "2024-03-05T00:07:49.852000+00:00", "Enabled": true, "Description": "", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "KeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "MultiRegion": false } } { "ARN": "arn:aws:secretsmanager:ap-northeast-1:123456789012:secret:secret-source-0305000703-yQDtow", "Name": "secret-source-0305000703", "VersionId": "a017bebe-a71b-4220-b923-6850c2599c26" } { "ARN": "arn:aws:secretsmanager:ap-northeast-1:123456789012:secret:secret-destination-0305000703-5d5Jy8", "Name": "secret-destination-0305000703", "VersionId": "32a1f989-6391-46b1-9182-f65d242f5eb6" } { "Role": { "Path": "/", "RoleName": "aurora-data-loader-0305000703", "RoleId": "AROAYPX63ITQOYORQSC6U", "Arn": "arn:aws:iam::123456789012:role/aurora-data-loader-0305000703", "CreateDate": "2024-03-05T00:07:54+00:00", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "rds.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }, "Tags": [ { "Key": "assumer", "Value": "aurora_limitless_table_data_load" } ] } } DONE! ACCOUNT_ID : [123456789012] REGION : [ap-northeast-1] RANDOM_SUFFIX : [0305000703] IAM_ROLE_ARN : [arn:aws:iam::123456789012:role/aurora-data-loader-0305000703] SOURCE_SECRET_ARN : [arn:aws:secretsmanager:ap-northeast-1:123456789012:secret:secret-source-0305000703-yQDtow] DESTINATION_SECRET_ARN : [arn:aws:secretsmanager:ap-northeast-1:123456789012:secret:secret-destination-0305000703-5d5Jy8] ``` ## Cleaning up failed resources If you want to clean up failed resources manually, remove them in the following order: 1. IAM role, for example: ``` aws iam delete-role-policy \ --role-name Test-Role \ --policy-name ExamplePolicy aws iam delete-role \ --role-name Test-Role ``` 1. Source and destination secrets, for example: ``` aws secretsmanager delete-secret \ --secret-id MyTestSecret \ --force-delete-without-recovery ``` 1. KMS key, for example: ``` aws kms schedule-key-deletion \ --key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \ --pending-window-in-days 7 ``` Then you can retry the script.