Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Associating an IAM Role with an Amazon Aurora MySQL DB Cluster

To permit database users in an Amazon Aurora DB cluster to access other AWS services, you associate the role that you created in Creating an IAM Role to Allow Amazon Aurora to Access AWS Services with that DB cluster.

To associate an IAM role with a DB cluster you do two things:

  • Add the role to the list of associated roles for a DB cluster by using the RDS console, the add-role-to-db-cluster AWS CLI command, or the AddRoleToDBCluster RDS API action.

    You can add a maximum of five IAM roles for each Aurora DB cluster.

  • Set the cluster-level parameter for the related AWS service to the ARN for the associated IAM role.

    The following table describes the cluster-level parameter names for the IAM roles used to access other AWS services.

    Cluster-level Parameter Description

    aws_default_lambda_role

    Used when invoking a Lambda function from your DB cluster.

    aws_default_logs_role

    Used when exporting audit log data from your DB cluster to Amazon CloudWatch Logs.

    aws_default_s3_role

    Used when invoking the LOAD DATA FROM S3, LOAD XML FROM S3, or SELECT INTO OUTFILE S3 statement from your DB cluster.

    For Aurora version 1.13 or later, the IAM role specified in this parameter is used only if an IAM role isn't specified for aurora_load_from_s3_role or aurora_select_into_s3_role for the appropriate statement.

    For earlier versions of Aurora, the IAM role specified for this parameter is always used.

    aurora_load_from_s3_role

    For Aurora version 1.13 or later, used when invoking the LOAD DATA FROM S3 or LOAD XML FROM S3 statement from your DB cluster. If an IAM role is not specified for this parameter, the IAM role specified in aws_default_s3_role is used.

    For earlier versions of Aurora, this parameter is not available.

    aurora_select_into_s3_role

    For Aurora version 1.13 or later, used when invoking the SELECT INTO OUTFILE S3 statement from your DB cluster. If an IAM role is not specified for this parameter, the IAM role specified in aws_default_s3_role is used.

    For earlier versions of Aurora, this parameter is not available.

To associate an IAM role to permit your Amazon RDS cluster to communicate with other AWS services on your behalf, take the following steps.

To associate an IAM role with an Aurora DB cluster using the console

  1. Open the RDS console at https://console.aws.amazon.com/rds/.

  2. Choose Clusters.

  3. Choose the Aurora DB cluster that you want to associate an IAM role with, and then choose Manage IAM Roles.

    
                                Manage IAM Roles for a DB cluster
  4. In Manage IAM Roles, choose the role to associate with your DB cluster from Available roles.

    
                                Associate an IAM role with a DB cluster
  5. (Optional) To stop associating an IAM role with a DB cluster and remove the related permission, choose Delete for the role.

  6. Choose Done.

  7. In the RDS console, choose Parameter Groups in the navigation pane.

  8. If you are already using a custom DB parameter group, you can select that group to use instead of creating a new DB cluster parameter group. If you are using the default DB cluster parameter group, you will need to create a new DB cluster parameter group, as described in the following steps:

    1. Choose Create Parameter Group.

      
                                        Create a DB cluster parameter group

      For Parameter Group Family, choose aurora5.6.

    2. For Type, choose DB cluster parameter group.

    3. For Group Name, type the name of your new DB cluster parameter group.

    4. For Description, type a description for your new DB cluster parameter group.

    5. Choose Create.

  9. Select your DB cluster parameter group and choose Edit Parameters.

  10. Set the appropriate cluster-level parameters to the related IAM role ARN values. For example, you can set just the aws_default_s3_role parameter to arn:aws:iam::123456789012:role/AllowAuroraS3Role.

  11. Choose Save Changes.

  12. Choose Instances, and then select the primary instance for your Aurora DB cluster.

  13. Choose Instance Actions and then choose Modify.

  14. Set the DB Cluster Parameter Group to the new DB cluster parameter group that you created. Select Apply Immediately. Choose Continue.

  15. Verify your changes and then choose Modify DB Instance.

  16. The primary instance for your DB cluster will still be selected in the list of instances. Choose Instance Actions, and then choose Reboot.

    When the instance has rebooted, your IAM roles will be associated with your DB cluster.

    For more information about cluster parameter groups, see Amazon Aurora MySQL Parameters.

To associate an IAM role with a DB cluster by using the AWS CLI

  1. Call the add-role-to-db-cluster command from the AWS CLI to add the ARNs for your IAM roles to the DB cluster, as shown following.

    Copy
    PROMPT> aws rds add-role-to-db-cluster --db-cluster-identifier my-cluster --role-arn arn:aws:iam::123456789012:role/AllowAuroraS3Role PROMPT> aws rds add-role-to-db-cluster --db-cluster-identifier my-cluster --role-arn arn:aws:iam::123456789012:role/AllowAuroraLambdaRole
  2. If you are using the default DB cluster parameter group, you will need to create a new DB cluster parameter group. If you are already using a custom DB parameter group, you can use that group instead of creating a new DB cluster parameter group.

    To create a new DB cluster parameter group, call the create-db-cluster-parameter-group command from the AWS CLI, as shown following.

    Copy
    PROMPT> aws rds create-db-cluster-parameter-group --db-cluster-parameter-group-name AllowAWSAccess \ --db-parameter-group-family aurora5.6 --description "Allow access to Amazon S3 and AWS Lambda"
  3. Set the appropriate cluster-level parameter or parameters and the related IAM role ARN values in your DB cluster parameter group, as shown following.

    Copy
    PROMPT> aws rds modify-db-cluster-parameter-group --db-cluster-parameter-group-name AllowAWSAccess \ --parameters "name=aws_default_s3_role,value=arn:aws:iam::123456789012:role/AllowAuroraS3Role,method=pending-reboot" \ --parameters "name=aws_default_lambda_role,value=arn:aws:iam::123456789012:role/AllowAuroraLambdaRole,method=pending-reboot"
  4. Modify the DB cluster to use the new DB cluster parameter group and then reboot the cluster, as shown following.

    Copy
    PROMPT> aws rds modify-db-cluster --db-cluster-identifier my-cluster --db-cluster-parameter-group-name AllowAWSAccess PROMPT> aws rds reboot-db-instance --db-instance-identifier my-cluster-primary

    When the instance has rebooted, your IAM roles will be associated with your DB cluster.

    For more information about cluster parameter groups, see Amazon Aurora MySQL Parameters.