Les traductions sont fournies par des outils de traduction automatique. En cas de conflit entre le contenu d'une traduction et celui de la version originale en anglais, la version anglaise prévaudra.
Configuration de l'authentification à la base de données et de l'accès aux ressources à l'aide d'un script
Le script de configuration crée un rôle géré par le client AWS KMS key, un rôle AWS Identity and Access Management (IAM) et deux AWS Secrets Manager secrets.
Procédez comme suit pour utiliser le script de configuration :
-
Assurez-vous que vous l'avez AWS CLI installé et configuré avec vos Compte AWS informations d'identification.
-
Installez le processeur de
jqligne de commandeJSON. Pour plus d'informations, consultez jqlang/jq. -
Copiez le fichier data_loading_script.zip sur votre ordinateur et extrayez-le.
data_load_aws_setup_script.sh -
Modifiez le script pour remplacer les variables d'espace réservé par les valeurs appropriées pour les éléments suivants :
-
Votre Compte AWS
-
Le Région AWS
-
Identifiants de base de données source
-
Informations d'identification de base de données
-
-
Ouvrez un nouveau terminal sur votre ordinateur et exécutez la commande suivante :
bash ./data_load_aws_setup_script.sh
Script de configuration pour l'utilitaire de chargement de données
Nous fournissons le texte du data_load_aws_setup_script.sh fichier ici à titre de référence.
#!/bin/bash # Aurora Limitless data loading - AWS resources setup script # # Set up the account credentials in advance. # # Update the following script variables. # ################################### #### Start of variable section #### ACCOUNT_ID="12-digit_AWS_account_ID" REGION="AWS_Region" DATE=$(date +'%m%d%H%M%S') RANDOM_SUFFIX="${DATE}" SOURCE_SECRET_NAME="secret-source-${DATE}" SOURCE_USERNAME="source_db_username" SOURCE_PASSWORD="source_db_password" DESTINATION_SECRET_NAME="secret-destination-${DATE}" DESTINATION_USERNAME="destination_db_username" DESTINATION_PASSWORD="destination_db_password" DATA_LOAD_IAM_ROLE_NAME="aurora-data-loader-${RANDOM_SUFFIX}" TMP_WORK_DIR="./tmp_data_load_aws_resource_setup/" #### End of variable section #### ################################# # Main logic start echo "DATE - [${DATE}]" echo "RANDOM_SUFFIX - [${RANDOM_SUFFIX}]" echo 'START!' mkdir -p $TMP_WORK_DIR # Create the symmetric KMS key for encryption and decryption. TMP_FILE_PATH="${TMP_WORK_DIR}tmp_create_key_response.txt" aws kms create-key --region $REGION | tee $TMP_FILE_PATH KMS_KEY_ARN=$(cat $TMP_FILE_PATH | jq -r '.KeyMetadata.Arn') aws kms create-alias \ --alias-name alias/"${DATA_LOAD_IAM_ROLE_NAME}-key" \ --target-key-id $KMS_KEY_ARN \ --region $REGION # Create the source secret. TMP_FILE_PATH="${TMP_WORK_DIR}tmp_create_source_secret_response.txt" aws secretsmanager create-secret \ --name $SOURCE_SECRET_NAME \ --kms-key-id $KMS_KEY_ARN \ --secret-string "{\"username\":\"$SOURCE_USERNAME\",\"password\":\"$SOURCE_PASSWORD\"}" \ --region $REGION \ | tee $TMP_FILE_PATH SOURCE_SECRET_ARN=$(cat $TMP_FILE_PATH | jq -r '.ARN') # Create the destination secret. TMP_FILE_PATH="${TMP_WORK_DIR}tmp_create_destination_secret_response.txt" aws secretsmanager create-secret \ --name $DESTINATION_SECRET_NAME \ --kms-key-id $KMS_KEY_ARN \ --secret-string "{\"username\":\"$DESTINATION_USERNAME\",\"password\":\"$DESTINATION_PASSWORD\"}" \ --region $REGION \ | tee $TMP_FILE_PATH DESTINATION_SECRET_ARN=$(cat $TMP_FILE_PATH | jq -r '.ARN') # Create the RDS trust policy JSON file. # Use only rds.amazonaws.com for RDS PROD use cases. TRUST_POLICY_PATH="${TMP_WORK_DIR}rds_trust_policy.json" echo '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "rds.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }' > $TRUST_POLICY_PATH # Create the IAM role. TMP_FILE_PATH="${TMP_WORK_DIR}tmp_create_iam_role_response.txt" aws iam create-role \ --role-name $DATA_LOAD_IAM_ROLE_NAME \ --assume-role-policy-document "file://${TRUST_POLICY_PATH}" \ --tags Key=assumer,Value=aurora_limitless_table_data_load \ --region $REGION \ | tee $TMP_FILE_PATH IAM_ROLE_ARN=$(cat $TMP_FILE_PATH | jq -r '.Role.Arn') # Create the permission policy JSON file. PERMISSION_POLICY_PATH="${TMP_WORK_DIR}data_load_permission_policy.json" permission_json_policy=$(cat <<EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "Ec2Permission", "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfacePermissions", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeAvailabilityZones", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeNetworkAcls" ], "Resource": "*" }, { "Sid": "SecretsManagerPermissions", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": [ "$SOURCE_SECRET_ARN", "$DESTINATION_SECRET_ARN" ] }, { "Sid": "KmsPermissions", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": "$KMS_KEY_ARN" }, { "Sid": "RdsPermissions", "Effect": "Allow", "Action": [ "rds:DescribeDBClusters", "rds:DescribeDBInstances" ], "Resource": "*" } ] } EOF ) echo $permission_json_policy > $PERMISSION_POLICY_PATH # Add the inline policy. aws iam put-role-policy \ --role-name $DATA_LOAD_IAM_ROLE_NAME \ --policy-name aurora-limitless-data-load-policy \ --policy-document "file://${PERMISSION_POLICY_PATH}" \ --region $REGION # Create the key policy JSON file. KEY_POLICY_PATH="${TMP_WORK_DIR}data_load_key_policy.json" key_json_policy=$(cat <<EOF { "Id": "key-aurora-limitless-data-load-$RANDOM_SUFFIX", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::$ACCOUNT_ID:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "$IAM_ROLE_ARN" }, "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": "*" } ] } EOF ) echo $key_json_policy > $KEY_POLICY_PATH # Add the key policy. TMP_FILE_PATH="${TMP_WORK_DIR}tmp_put_key_policy_response.txt" sleep 10 # sleep 10 sec for IAM role ready aws kms put-key-policy \ --key-id $KMS_KEY_ARN \ --policy-name default \ --policy "file://${KEY_POLICY_PATH}" \ --region $REGION \ | tee $TMP_FILE_PATH echo 'DONE!' echo "ACCOUNT_ID : [${ACCOUNT_ID}]" echo "REGION : [${REGION}]" echo "RANDOM_SUFFIX : [${RANDOM_SUFFIX}]" echo "IAM_ROLE_ARN : [${IAM_ROLE_ARN}]" echo "SOURCE_SECRET_ARN : [${SOURCE_SECRET_ARN}]" echo "DESTINATION_SECRET_ARN : [${DESTINATION_SECRET_ARN}]" # Example of a successful run: # ACCOUNT_ID : [012345678912] # REGION : [ap-northeast-1] # RANDOM_SUFFIX : [0305000703] # IAM_ROLE_ARN : [arn:aws:iam::012345678912:role/aurora-data-loader-0305000703] # SOURCE_SECRET_ARN : [arn:aws:secretsmanager:ap-northeast-1:012345678912:secret:secret-source-0305000703-yQDtow] # DESTINATION_SECRET_ARN : [arn:aws:secretsmanager:ap-northeast-1:012345678912:secret:secret-destination-0305000703-5d5Jy8] # If you want to manually clean up failed resource, # please remove them in the following order: # 1. IAM role. # aws iam delete-role-policy --role-name Test-Role --policy-name ExamplePolicy --region us-east-1 # aws iam delete-role --role-name Test-Role --region us-east-1 # 2. Source and destination secrets. # aws secretsmanager delete-secret --secret-id MyTestSecret --force-delete-without-recovery --region us-east-1 # 3. KDM key. # aws kms schedule-key-deletion --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab --pending-window-in-days 7 --region us-east-1
Sortie du script de configuration de l'utilitaire de chargement de données
L'exemple suivant montre le résultat d'une exécution réussie du script.
% bash ./data_load_aws_setup_script.sh DATE - [0305000703] RANDOM_SUFFIX - [0305000703] START! { "KeyMetadata": { "AWSAccountId": "123456789012", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Arn": "arn:aws:kms:ap-northeast-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": "2024-03-05T00:07:49.852000+00:00", "Enabled": true, "Description": "", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "KeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "MultiRegion": false } } { "ARN": "arn:aws:secretsmanager:ap-northeast-1:123456789012:secret:secret-source-0305000703-yQDtow", "Name": "secret-source-0305000703", "VersionId": "a017bebe-a71b-4220-b923-6850c2599c26" } { "ARN": "arn:aws:secretsmanager:ap-northeast-1:123456789012:secret:secret-destination-0305000703-5d5Jy8", "Name": "secret-destination-0305000703", "VersionId": "32a1f989-6391-46b1-9182-f65d242f5eb6" } { "Role": { "Path": "/", "RoleName": "aurora-data-loader-0305000703", "RoleId": "AROAYPX63ITQOYORQSC6U", "Arn": "arn:aws:iam::123456789012:role/aurora-data-loader-0305000703", "CreateDate": "2024-03-05T00:07:54+00:00", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "rds.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }, "Tags": [ { "Key": "assumer", "Value": "aurora_limitless_table_data_load" } ] } } DONE! ACCOUNT_ID : [123456789012] REGION : [ap-northeast-1] RANDOM_SUFFIX : [0305000703] IAM_ROLE_ARN : [arn:aws:iam::123456789012:role/aurora-data-loader-0305000703] SOURCE_SECRET_ARN : [arn:aws:secretsmanager:ap-northeast-1:123456789012:secret:secret-source-0305000703-yQDtow] DESTINATION_SECRET_ARN : [arn:aws:secretsmanager:ap-northeast-1:123456789012:secret:secret-destination-0305000703-5d5Jy8]
Nettoyage des ressources défaillantes
Si vous souhaitez nettoyer manuellement les ressources défaillantes, supprimez-les dans l'ordre suivant :
-
IAMrôle, par exemple :
aws iam delete-role-policy \ --role-name Test-Role \ --policy-name ExamplePolicy aws iam delete-role \ --role-name Test-Role -
Secrets de source et de destination, par exemple :
aws secretsmanager delete-secret \ --secret-id MyTestSecret \ --force-delete-without-recovery -
KMSclé, par exemple :
aws kms schedule-key-deletion \ --key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \ --pending-window-in-days 7
Vous pouvez ensuite réessayer le script.
