In this tutorial, we will demonstrate how to set up Just-in-Time (JIT) access using the Bytebase GUI connecting to Amazon Aurora.
GRANT SELECT ON …
). You can’t manage fine-grained table-level permissions solely through IAM.
RDS IAM Authentication
for service.
connect
permission and specific
as Resource. Check Any in this account.
rds-connect
and create this policy.
rds-connector
.
Attach policies directly
and select rds-connect
policy. Click Next and then click Create user.
Application running on AWS compute service
as the use case. Because you will run Bytebase in EC2 instance. Click Next.
Access key ID
and Secret access key
for later use.
bb
for Bytebase metadata.
AWS Aurora MySQL Prod
Prod
aurora-mysql-instance-prod.ctxxxxxxx5.ap-xxxxx-1.rds.amazonaws.com
3306
AWS RDS IAM
bytebase
ap-xxxxx-1
Aurora MySQL Project
.
employee
.
employee
database. Double click the employee
database and you’ll see the data.
(workspace) admin
has the full access to the database. Click IAM&Admin > Users&Groups on the left bar, and then click Add user.
dev
with the role Project Developer
. This project-level role will be applied to all projects automatically.
dev
, click Select Project on the top sidebar, and choose Aurora MySQL Project
employee
.
employee
database is impossible. Because it’s Community Plan.
admin
user, go into Aurora MySQL Project
, click Manage > Members on the left sidebar.
dev
, select the SQL Editor User
role, then set 1 day Expiration, and click Confirm button. Here you may notice in Community Plan, you can only set access to all databases in the project.
dev
user again, you now have access to the production database in SQL Editor. After one day, the access will expire automatically.
admin
user, go into Aurora MySQL Project
and revoke the dev
user’s access to the production database.
Request Querier Role
which triggers when the environment is Prod
.
high
risk an approval flow Project Owner
.
Request Querier Role
which triggers when the environment is Prod
.
dev
user again, then go to SQL Editor page. Click Connect to a database or Select a database to start. You should see the hr_prod
and hr_test
databases listed, click Request query to request a JIT access.
employee
salary
and title
under hr_prod
database, and click OK button. Here you may also specify the expiration time which can be a specific time, or relative time from now.
dev
user, go to SQL Editor, you should be able to query from employee
table. If you query from other tables, you will get errors and suggest to request a JIT access.
dev
user get the access, he can solve the incident. The admin user can revoke the access directly from the Manage > Members page or wait for the access expiration.
admin
user can also check the audit log by clicking IAM&Admin > Audit Log on the left sidebar. The audit log will show all the data access history of the dev
user.