Home > Net >  Create unprivileged RDS DB role using CDK
Create unprivileged RDS DB role using CDK

Time:06-10

I deploy AWS Aurora for Postgres using AWS CDK, which creates a cluster admin role, and makes its password available as a secret to other infrastructure, notably Lambdas. I'm looking for a way to also create an unprivileged role in the database, and then disseminate its login credentials to Lambdas etc., to eliminate the risk of accessing the database with superuser credentials by design.

CDK only seems to create a single user account, and from there IaC authors have to fend for themselves. How could CDK be adapted to this scenario?

CodePudding user response:

The CDK itself - as all IaC tooling e.g. Terraform - manage the provisioning of infrastructure.

You essentially want to initialise your RDS instance & create a user/role within the database itself, which isn't naturally related to infrastructure provisioning and thus the CDK at all.

While this isn't inbuilt to the CDK, you can use AwsCustomResource to create the unprivileged role via a Lambda after the creation of the RDS database. Take a look at this official blog post titled Use AWS CDK to initialize Amazon RDS instances for some more information on how to get started.

  • Related