# 从 RDS 代理的标准 IAM 身份验证迁移至端到端 IAM 身份验证 如果您当前在 RDS 代理中使用标准 IAM 身份验证(客户端使用 IAM 身份验证连接到代理,而代理通过密钥连接到数据库),您可以迁移至端到端 IAM 身份验证,使客户端到代理以及代理到数据库的连接都使用 IAM 身份验证。 **迁移至端到端 IAM 身份验证** 1. **更新 RDS 代理 IAM 角色权限** 创建同时包含 Secrets Manager 和 `rds:db-connect` 权限的更新代理权限策略: ``` # Create updated proxy permission policy cat > updated-proxy-policy.json ≪ EOF ``` ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "GetSecretsValue", "Action": [ "secretsmanager:GetSecretValue" ], "Effect": "Allow", "Resource": [ "arn:aws:secretsmanager:us-east-1:123456789012:secret:secretName-1234f" ] }, { "Sid": "RdsDBConnect", "Action": [ "rds-db:connect" ], "Effect": "Allow", "Resource": [ "arn:aws:rds-db:us-east-1:123456789012:dbuser:cluster-ABCDEFGHIJKL01234/jane_doe" ] } ] } ``` 更新代理角色策略: ``` aws iam put-role-policy \ --role-name RDSProxyRole \ --policy-name UpdatedProxyPermissions \ --policy-document file://updated-proxy-policy.json ``` 1. 修改您的 RDS 代理以实现端到端 IAM 身份验证 ``` aws rds modify-db-proxy \ --db-proxy-name my-database-proxy \ --default-auth-scheme IAM_AUTH \ --region us-east-1 ``` 继续操作之前,请验证 RDS 代理状态是否为**可用**且 `DefaultAuthScheme` 为 `IAM_AUTH`,以确保迁移期间零停机。 ``` aws rds describe-db-proxies --db-proxy-name my-database-proxy --region us-east-1 ``` 预期输出: ``` { "DBProxies": [ { "DBProxyName": "my-database-proxy", "DBProxyArn": "arn:aws:rds:us-east-1:123456789012:db-proxy:prx-0123456789abcdef", "Status": "available", ... "DefaultAuthScheme": "IAM_AUTH" } ] } ``` 1. 在数据库上启用 IAM 身份验证 ``` aws rds modify-db-cluster \ --db-cluster-identifier my-database-cluster \ --enable-iam-database-authentication \ --region us-east-1 ``` 1. 为 IAM 身份验证配置数据库用户 对于 RDS for PostgreSQL: ``` GRANT rds_iam TO jane_doe; ``` 对于 RDS for MySQL 和 RDS for MariaDB: ``` ALTER USER 'jane_doe' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; ALTER USER 'jane_doe'@'%' REQUIRE SSL; ``` 1. 无需更改客户端应用程序代码。连接过程保持不变: 对于 RDS for PostgreSQL: ``` # Generate authentication token export PGPASSWORD=$(aws rds generate-db-auth-token \ --hostname my-database-proxy.proxy-ABCDEFGHIJKL01234.us-east-1.rds.amazonaws.com \ --port 5432 \ --username jane_doe \ --region us-east-1) # Connect to database through proxy psql "host=my-database-proxy.proxy-ABCDEFGHIJKL01234.us-east-1.rds.amazonaws.com port=5432 user=jane_doe dbname=postgres password=$PGPASSWORD sslmode=require sslrootcert=us-east-1-bundle.pem" ``` 对于 RDS for MySQL 和 RDS for MariaDB: ``` # Generate authentication token export MYSQL_PWD=$(aws rds generate-db-auth-token \ --hostname my-database-proxy.proxy-ABCDEFGHIJKL01234.us-east-1.rds.amazonaws.com \ --port 3306 \ --username jane_doe \ --region us-east-1) # Connect to database through proxy mysql -h my-database-proxy.proxy-ABCDEFGHIJKL01234.us-east-1.rds.amazonaws.com \ -P 3306 \ -u jane_doe \ --ssl-ca=us-east-1-bundle.pem \ --enable-cleartext-plugin ```