Assign the Permissions Policy to the IAM Role for Amazon RDS for SQL Server

Choose an authentication method and assign the permissions policy to the IAM role based on the authentication method.

• IAM Role: In the AWS Console, create an IAM role and attach the IAM role to the instance that acts as the access node, which is a Windows SQL EC2 client.

  Note

  If IAM Role authentication is selected for the Amazon client, but an access node that is not associated with the IAM role is used for the backup or restore, the operation fails.

  The IAM role must have appropriate permissions, which can be any of the following:

  • Amazon EC2 Full Access

  • Amazon S3 Full Access

  • Administrator Access

  • Custom permissions to access AWS resources. To assign custom permissions, download the amazon_rds_sql_backup_restore_permissions.json and amazon_rds_sql_s3_permissions.json files and use them on the AWS command line to apply all the required permissions for backups and restores.

• Access and Secret Key: Obtain the key pair (access key and secret key) from the Amazon EC2 Web site under Security Credentials.

  When configuring the backup and restore support, verify that the IAM role that is associated with the option group has the AWS permission policy to the S3 bucket or object with the following permissions:

  • List (ListBucket)

  • Read (GetBucketLocation, GetObject, ListMultipartUploadParts)

  • Write (AbortMultipartUpload, PutObject)

    The following sample script assigns the permissions policy to the IAM role for a root user:

    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation",
            ],
            "Resource":[
                "arn:aws:s3:::bucket_name"
            ]       
        },
        {
            "Effect":"Allow",
            "Action":[
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource":[
                "arn:aws:s3:::bucket_name/*"
            ]
        }
    ]
    }

    For a non-root user, use the following script to create the policy and assign the permissions to the IAM role.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:ListBucket",
                    "s3:GetBucketLocation"
                ],
                "Resource": [
                    "arn:aws:s3:::bucketname"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObjectMetaData",
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject",
                    "s3:ListMultipartUploadParts",
                    "s3:AbortMultipartUpload"
                ],
                "Resource": [
                    "arn:aws:s3:::bucketname/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": "rds:*",
                "Resource": "*"
            }
        ]
    }

• STS Assume Role with IAM Policy: To use an Security Token Service (STS) assume role with IAM policy, obtain the STS Amazon Resource Name (ARN) from the Amazon EC2 website section on IAM roles.

Related Topics

• For instructions about obtaining Amazon access keys, see Amazon Elastic Compute Cloud Documentation.

• For more information about STS role authentication, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances.

• For more information about AWS user permissions for the IAM role, see the following:

  • How Commvault Uses AWS Permissions for Amazon EC2 Instance Protection

  • Creating a Role with Restricted Access