Creating and connecting to a DB instance for Amazon RDS Custom for Oracle - Amazon Relational Database Service

Creating and connecting to a DB instance for Amazon RDS Custom for Oracle

You can create an RDS Custom DB instance, and then connect to it using Secure Shell (SSH) or AWS Systems Manager.

Important

Before you can create or connect to an RDS Custom DB instance, make sure to complete the tasks in Setting up your environment for Amazon RDS Custom for Oracle.

You can tag RDS Custom DB instances when you create them, but don't create or modify the AWSRDSCustom tag that's required for RDS Custom automation. For more information, see Tagging RDS Custom resources.

The first time that you create an RDS Custom for Oracle DB instance, you might receive the following error: The service-linked role is in the process of being created. Try again later. If you do, wait a few minutes and then try again to create the DB instance.

Creating an RDS Custom for Oracle DB instance

Create an Amazon RDS Custom for Oracle DB instance using either the AWS Management Console or the AWS CLI. The procedure is similar to the procedure for creating an Amazon RDS DB instance.

For more information, see Creating an Amazon RDS DB instance.

To create an RDS Custom for Oracle DB instance

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the navigation pane, choose Databases.

  3. Choose Create database.

  4. In Choose a database creation method, select Standard create.

  5. In Engine options, choose Oracle for the DB engine type. Oracle Database is the only supported DB engine.

  6. For Database management type, choose Amazon RDS Custom.

  7. For Edition, choose Oracle Enterprise Edition.

  8. For Database version, choose the RDS Custom custom engine version (CEV) that you previously created. The CEV has the following format: 19.customized_string. An example identifier is 19.my_cev1.

  9. In Templates, choose Production.

  10. In Settings, enter a unique name for the DB instance identifier.

  11. Enter your master password by doing the following:

    1. In the Settings section, open Credential Settings.

    2. Clear the Auto generate a password check box.

    3. Change the Master username value and enter the same password in Master password and Confirm password.

    By default, the new RDS Custom DB instance uses an automatically generated password for the master user.

  12. In DB instance size, choose a DB instance class.

    For supported classes, see DB instance class support for RDS Custom.

  13. Choose Storage settings.

  14. For RDS Custom security, do the following:

    1. For IAM instance profile, choose the instance profile for your RDS Custom for Oracle DB instance.

      The IAM instance profile must begin with AWSRDSCustom, for example AWSRDSCustomInstanceProfileForRdsCustomInstance.

    2. For Encryption, choose Enter a key ARN to list the available AWS KMS keys. Then choose your key from the list.

      An AWS KMS key is required for RDS Custom. For more information, see Make sure that you have a symmetric AWS KMS key.

  15. (Optional) In Additional configuration, enter an Initial database name if you want.

    The default database name is ORCL.

  16. For the remaining sections, specify your preferred RDS Custom DB instance settings. For information about each setting, see Settings for DB instances. The following settings don't appear in the console and aren't supported:

    • Processor features

    • Storage autoscaling

    • Availability & durability

    • Password and Kerberos authentication option in Database authentication (only Password authentication is supported)

    • Database options group in Additional configuration

    • Performance Insights

    • Log exports

    • Enable auto minor version upgrade

    • Deletion protection

    Backup retention period is supported, but you can't choose 0 days.

  17. Choose Create database.

    The View credential details button appears on the Databases page.

    To view the master user name and password for the RDS Custom DB instance, choose View credential details.

    To connect to the DB instance as the master user, use the user name and password that appear.

    Important

    You can't view the master user password again. If you don't record it, you might have to change it. If you need to change the master user password after the RDS Custom DB instance is available, modify the DB instance to do so. For more information about modifying a DB instance, see Managing an Amazon RDS Custom DB instance.

  18. Choose Databases to view the list of RDS Custom DB instances.

  19. Choose the RDS Custom DB instance that you just created.

    On the RDS console, the details for the new RDS Custom DB instance appear:

    • The DB instance has a status of creating until the RDS Custom DB instance is created and ready for use. When the state changes to available, you can connect to the DB instance. Depending on the instance class and storage allocated, it can take several minutes for the new DB instance to be available.

    • Role has the value Instance (RDS Custom).

    • RDS Custom automation mode has the value Full automation. This setting means that the DB instance provides automatic monitoring and instance recovery.

You create an RDS Custom DB instance by using the create-db-instance AWS CLI command.

The following options are required:

  • --db-instance-identifier

  • --db-instance-class (for a list of supported instance classes, see DB instance class support for RDS Custom)

  • --engine custom-oracle-ee

  • --engine-version cev (where cev is the name of the custom engine version that you specified in Creating a CEV)

  • --kms-key-id

  • --no-auto-minor-version-upgrade

  • --custom-iam-instance-profile

The following example creates an RDS Custom DB instance named my-custom-instance. The backup retention period is three days.

For Linux, macOS, or Unix:

aws create-db-instance \ --engine custom-oracle-ee \ --db-instance-identifier my-custom-instance \ --engine-version 19.my_cev1 \ --allocated-storage 250 \ --db-instance-class db.m5.xlarge \ --db-subnet-group mydbsubnetgroup \ --master-username myawsuser \ --master-user-password mypassword \ --backup-retention-period 3 \ --no-multi-az \ --port 8200 \ --license-model bring-your-own-license \ --kms-key-id my-kms-key \ --no-auto-minor-version-upgrade \ --custom-iam-instance-profile AWSRDSCustomInstanceProfileForRdsCustomInstance

For Windows:

aws rds create-db-instance ^ --engine custom-oracle-ee ^ --db-instance-identifier my-custom-instance ^ --engine-version 19.my_cev1 ^ --allocated-storage 250 ^ --db-instance-class db.m5.xlarge ^ --db-subnet-group mydbsubnetgroup ^ --master-username myawsuser ^ --master-user-password mypassword ^ --backup-retention-period 3 ^ --no-multi-az ^ --port 8200 ^ --license-model bring-your-own-license ^ --kms-key-id my-kms-key ^ --no-auto-minor-version-upgrade ^ --custom-iam-instance-profile AWSRDSCustomInstanceProfileForRdsCustomInstance

Get details about your instance by using the describe-db-instances command.

aws rds describe-db-instances --db-instance-identifier my-custom-instance

The following partial output shows the engine, parameter groups, and other information.

{ "DBInstances": [ { "PendingModifiedValues": {}, "Engine": "custom-oracle-ee", "MultiAZ": false, "DBSecurityGroups": [], "DBParameterGroups": [ { "DBParameterGroupName": "default.custom-oracle-ee-19", "ParameterApplyStatus": "in-sync" } ], "AutomationMode": "full", "DBInstanceIdentifier": "my-custom-instance", ... "TagList": [ { "Key": "AWSRDSCustom", "Value": "custom-oracle" } ] } ] }

RDS Custom service-linked role

A service-linked role gives Amazon RDS Custom access to resources in your AWS account. It makes using RDS Custom easier because you don't have to manually add the necessary permissions. RDS Custom defines the permissions of its service-linked roles, and unless defined otherwise, only RDS Custom can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity.

When you create an RDS Custom DB instance, both the Amazon RDS and RDS Custom service-linked roles are created (if they don't already exist) and used. For more information, see Using service-linked roles for Amazon RDS.

The first time that you create an RDS Custom for Oracle DB instance, you might receive the following error: The service-linked role is in the process of being created. Try again later. If you do, wait a few minutes and then try again to create the DB instance.

Connecting to your RDS Custom DB instance using SSH

After you create your RDS Custom DB instance, you can connect to this instance using an SSH client. The procedure is the same as for connecting to an Amazon EC2 instance. For more information, see Connecting to your Linux instance using SSH.

To connect to the DB instance, you need the key pair associated with the instance. RDS Custom creates the key pair on your behalf. The pair name uses the prefix do-not-delete-rds-custom-ssh-privatekey-db-. AWS Secrets Manager stores your private key as a secret.

Complete the task in the following steps:

Configure your DB instance to allow SSH connections

Make sure that your DB instance security group permits inbound connections on port 22 for TCP. To learn how to configure your instance security group, see Configure your instance security group.

Retrieve your secret key

Retrieve the secret key using either AWS Management Console or the AWS CLI.

To retrieve the secret key

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the navigation pane, choose Databases, and then choose the RDS Custom DB instance to which you want to connect.

  3. Choose Configuration.

  4. Note the Resource ID value. For example, the resource ID might be db-ABCDEFGHIJKLMNOPQRS0123456.

  5. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  6. In the navigation pane, choose Instances.

  7. Find the name of your EC2 instance, and choose the instance ID associated with it. For example, the EC2 instance ID might be i-abcdefghijklm01234.

  8. In Details, find Key pair name. The pair name includes the resource ID. For example, the pair name might be do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c.

  9. In the instance summary, find Public IPv4 DNS. For the example, the public Domain Name System (DNS) address might be ec2-12-345-678-901.us-east-2.compute.amazonaws.com.

  10. Open the AWS Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  11. Choose the secret that has the same name as your key pair.

  12. Choose Retrieve secret value.

  13. Copy the private key into a text file, and then save the file with the .pem extension. For example, save the file as /tmp/do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c.pem.

To retrieve the private key, use the AWS CLI.

To find the DB resource ID of your RDS Custom DB instance, use aws rds describe-db-instances.

aws rds describe-db-instances \ --query 'DBInstances[*].[DBInstanceIdentifier,DbiResourceId]' \ --output text

The following sample output shows the resource ID for your RDS Custom instance. The prefix is db-.

db-ABCDEFGHIJKLMNOPQRS0123456

To find the EC2 instance ID of your DB instance, use aws ec2 describe-instances. The following example uses db-ABCDEFGHIJKLMNOPQRS0123456 for the resource ID.

aws ec2 describe-instances \ --filters "Name=tag:Name,Values=db-ABCDEFGHIJKLMNOPQRS0123456" \ --output text \ --query 'Reservations[*].Instances[*].InstanceId'

The following sample output shows the EC2 instance ID.

i-abcdefghijklm01234

To find the key name, specify the EC2 instance ID.

aws ec2 describe-instances \ --instance-ids i-0bdc4219e66944afa \ --output text \ --query 'Reservations[*].Instances[*].KeyName'

The following sample output shows the key name, which uses the prefix do-not-delete-rds-custom-ssh-privatekey-.

do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c

To save the private key in a .pem file named after the key, use aws secretsmanager. The following example saves the file in your /tmp directory.

aws secretsmanager get-secret-value \ --secret-id do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c \ --query SecretString \ --output text >/tmp/do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c.pem

Connect to your EC2 instance using the ssh utility

The following example assumes that you created a .pem file that contains your private key.

Change to the directory that contains your .pem file. Using chmod, set the permissions to 400.

cd /tmp chmod 400 do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c.pem

To obtain your public DNS name, use the command ec2 describe-instances.

aws ec2 describe-instances \ --instance-ids i-abcdefghijklm01234 \ --output text \ --query 'Reservations[*].Instances[*].PublicDnsName'

The following sample output shows the public DNS name.

ec2-12-345-678-901.us-east-2.compute.amazonaws.com

In the ssh utility, specify the .pem file and the public DNS name of the instance.

ssh -i \ "do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c.pem" \ ec2-user@ec2-12-345-678-901.us-east-2.compute.amazonaws.com

Connecting to your RDS Custom DB instance using AWS Systems Manager

After you create your RDS Custom DB instance, you can connect to it using AWS Systems Manager Session Manager. Session Manager is an Systems Manager capability that you can use to manage Amazon EC2 instances through a browser-based shell or through the AWS CLI. For more information, see AWS Systems Manager Session Manager.

To connect to your DB instance using Session Manager

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the navigation pane, choose Databases, and then choose the RDS Custom DB instance to which you want to connect.

  3. Choose Configuration.

  4. Note the Resource ID for your DB instance. For example, the resource ID might be db-ABCDEFGHIJKLMNOPQRS0123456.

  5. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  6. In the navigation pane, choose Instances.

  7. Look for the name of your EC2 instance, and then click the instance ID associated with it. For example, the instance ID might be i-abcdefghijklm01234.

  8. Choose Connect.

  9. Choose Session Manager.

  10. Choose Connect.

    A window opens for your session.

You can connect to your RDS Custom DB instance using the AWS CLI. This technique requires the Session Manager plugin for the AWS CLI. To learn how to install the plugin, see Install the Session Manager plugin for the AWS CLI.

To find the DB resource ID of your RDS Custom DB instance, use aws rds describe-db-instances.

aws rds describe-db-instances \ --query 'DBInstances[*].[DBInstanceIdentifier,DbiResourceId]' \ --output text

The following sample output shows the resource ID for your RDS Custom instance. The prefix is db-.

db-ABCDEFGHIJKLMNOPQRS0123456

To find the EC2 instance ID of your DB instance, use aws ec2 describe-instances. The following example uses db-ABCDEFGHIJKLMNOPQRS0123456 for the resource ID.

aws ec2 describe-instances \ --filters "Name=tag:Name,Values=db-ABCDEFGHIJKLMNOPQRS0123456" \ --output text \ --query 'Reservations[*].Instances[*].InstanceId'

The following sample output shows the EC2 instance ID.

i-abcdefghijklm01234

Use the aws ssm start-session command, supplying the EC2 instance ID in the --target parameter.

aws ssm start-session --target "i-abcdefghijklm01234"

A successful connection looks like the following.

Starting session with SessionId: yourid-abcdefghijklm1234 [ssm-user@ip-123-45-67-89 bin]$