Prerequisites for integrating RDS for SQL Server with S3
Before you begin, find or create the S3 bucket that you want to use. Also, add permissions so that the RDS DB instance can access the S3 bucket. To configure this access, you create both an IAM policy and an IAM role.
To create an IAM policy for access to Amazon S3
-
In the IAM Management Console
, choose Policies in the navigation pane. -
Create a new policy, and use the Visual editor tab for the following steps.
-
For Service, enter
S3and then choose the S3 service. -
For Actions, choose the following to grant the access that your DB instance requires:
-
ListAllMyBuckets– required -
ListBucket– required -
GetBucketAcl– required -
GetBucketLocation– required -
GetObject– required for downloading files from S3 toD:\S3\ -
PutObject– required for uploading files fromD:\S3\to S3 -
ListMultipartUploadParts– required for uploading files fromD:\S3\to S3 -
AbortMultipartUpload– required for uploading files fromD:\S3\to S3
-
-
For Resources, the options that display depend on which actions you choose in the previous step. You might see options for bucket, object, or both. For each of these, add the appropriate Amazon Resource Name (ARN).
For bucket, add the ARN for the bucket that you want to use. For example, if your bucket is named
amzn-s3-demo-bucket, set the ARN toarn:aws:s3:::.amzn-s3-demo-bucketFor object, enter the ARN for the bucket and then choose one of the following:
-
To grant access to all files in the specified bucket, choose Any for both Bucket name and Object name.
-
To grant access to specific files or folders in the bucket, provide ARNs for the specific buckets and objects that you want SQL Server to access.
-
-
Follow the instructions in the console until you finish creating the policy.
The preceding is an abbreviated guide to setting up a policy. For more detailed instructions on creating IAM policies, see Creating IAM policies in the IAM User Guide.
To create an IAM role that uses the IAM policy from the previous procedure
-
In the IAM Management Console
, choose Roles in the navigation pane. -
Create a new IAM role, and choose the following options as they appear in the console:
-
AWS service
-
RDS
-
RDS – Add Role to Database
Then choose Next:Permissions at the bottom.
-
-
For Attach permissions policies, enter the name of the IAM policy that you previously created. Then choose the policy from the list.
-
Follow the instructions in the console until you finish creating the role.
The preceding is an abbreviated guide to setting up a role. If you want more detailed instructions on creating roles, see IAM roles in the IAM User Guide.
To grant Amazon RDS access to an Amazon S3 bucket, use the following process:
-
Create an IAM policy that grants Amazon RDS access to an S3 bucket.
-
Create an IAM role that Amazon RDS can assume on your behalf to access your S3 buckets.
For more information, see Creating a role to delegate permissions to an IAM user in the IAM User Guide.
-
Attach the IAM policy that you created to the IAM role that you created.
To create the IAM policy
Include the appropriate actions to grant the access your DB instance requires:
-
ListAllMyBuckets– required -
ListBucket– required -
GetBucketAcl– required -
GetBucketLocation– required -
GetObject– required for downloading files from S3 toD:\S3\ -
PutObject– required for uploading files fromD:\S3\to S3 -
ListMultipartUploadParts– required for uploading files fromD:\S3\to S3 -
AbortMultipartUpload– required for uploading files fromD:\S3\to S3
-
The following AWS CLI command creates an IAM policy named
rds-s3-integration-policywith these options. It grants access to a bucket namedamzn-s3-demo-bucket.For Linux, macOS, or Unix:
aws iam create-policy \ --policy-namerds-s3-integration-policy\ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketAcl", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::amzn-s3-demo-bucket" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload" ], "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/key_prefix/*" } ] }'For Windows:
Make sure to change the line endings to the ones supported by your interface (
^instead of\). Also, in Windows, you must escape all double quotes with a\. To avoid the need to escape the quotes in the JSON, you can save it to a file instead and pass that in as a parameter.First, create the
policy.jsonfile with the following permission policy:Then use the following command to create the policy:
aws iam create-policy ^ --policy-namerds-s3-integration-policy^ --policy-document file://file_path/assume_role_policy.json -
After the policy is created, note the Amazon Resource Name (ARN) of the policy. You need the ARN for a later step.
To create the IAM role
-
The following AWS CLI command creates the
rds-s3-integration-roleIAM role for this purpose.For Linux, macOS, or Unix:
aws iam create-role \ --role-namerds-s3-integration-role\ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "rds.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }'For Windows:
Make sure to change the line endings to the ones supported by your interface (
^instead of\). Also, in Windows, you must escape all double quotes with a\. To avoid the need to escape the quotes in the JSON, you can save it to a file instead and pass that in as a parameter.First, create the
assume_role_policy.jsonfile with the following policy:Then use the following command to create the IAM role:
aws iam create-role ^ --role-namerds-s3-integration-role^ --assume-role-policy-document file://file_path/assume_role_policy.jsonExample of using the global condition context key to create the IAM role
We recommend using the
aws:SourceArnandaws:SourceAccountglobal condition context keys in resource-based policies to limit the service's permissions to a specific resource. This is the most effective way to protect against the confused deputy problem.You might use both global condition context keys and have the
aws:SourceArnvalue contain the account ID. In this case, theaws:SourceAccountvalue and the account in theaws:SourceArnvalue must use the same account ID when used in the same policy statement.-
Use
aws:SourceArnif you want cross-service access for a single resource. -
Use
aws:SourceAccountif you want to allow any resource in that account to be associated with the cross-service use.
In the policy, make sure to use the
aws:SourceArnglobal condition context key with the full Amazon Resource Name (ARN) of the resources accessing the role. For S3 integration, make sure to include the DB instance ARNs, as shown in the following example.For Linux, macOS, or Unix:
aws iam create-role \ --role-namerds-s3-integration-role\ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "rds.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceArn":"arn:aws:rds:Region:my_account_ID:db:db_instance_identifier" } } } ] }'For Windows:
Add the global condition context key to
assume_role_policy.json. -
To attach the IAM policy to the IAM role
-
The following AWS CLI command attaches the policy to the role named
rds-s3-integration-role. Replaceyour-policy-arnFor Linux, macOS, or Unix:
aws iam attach-role-policy \ --policy-arnyour-policy-arn\ --role-namerds-s3-integration-roleFor Windows:
aws iam attach-role-policy ^ --policy-arnyour-policy-arn^ --role-namerds-s3-integration-role
