percona
Allow RDS connection using IAM Role
Description
Currently PMM supports two ways of discovering RDS instances: through the Instance attached role and through static credentials. . There is no way to attach cross-account IAM policy directly to an instance role. The usual recommended method in AWS to access cross account resources is to create a cross-account role and give the resource (in this case the EC2 instance running PMM) permission to attach to that role.
Suggested solution
In addition to static IAM access key and secret credentials, PMM should offer the option of providing an IAM role arn and use STS to assume that role and allow adding RDS instances using those credentials.
Additional context
No response
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
I am facing the same issue.
Where pmm is running I have a role with the following trusted relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::999999999999:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/ABCD1234EFGH5678IJKL9012MNOP3456"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/B68146060B12F249947B9E36426CD48C:aud": "sts.amazonaws.com"
},
"StringLike": {
"oidc.eks.us-east-1.amazonaws.com/id/B68146060B12F249947B9E36426CD48C:sub": "system:serviceaccount:pmm-namespace:*"
}
}
}
]
}
And a policy was attached to this role so we can assume roles from other AWS accounts
{
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::000000000000:role/pmm-assumable",
"arn:aws:iam::111111111111:role/pmm-assumable",
"arn:aws:iam::222222222222:role/pmm-assumable"
]
}
]
}
On the target AWS account (000000000000 for instance) I have a role named pmm-assumable with the following trusted relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:role/pmm-server-role"
},
"Action": "sts:AssumeRole"
}
]
}
and the regular policies:
{
"Statement": [
{
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dynamodb:ListBackups",
"dynamodb:ListContributorInsights",
"dynamodb:ListExports",
"dynamodb:ListGlobalTables",
"dynamodb:ListImports",
"dynamodb:ListTables",
"rds:DescribeAccountAttributes",
"rds:DescribeCertificates",
"rds:DescribeDBClusterBacktracks",
"rds:DescribeDBClusterEndpoints",
"rds:DescribeDBClusterParameterGroups"
"rds:DescribeDBClusterParameters",
...
],
"Effect": "Allow",
"Resource": "*",
"Sid": "VisualEditor1"
}
],
"Version": "2012-10-17"
}
When we hit Discover button only RDS instances from the same account appears
Inside the pod we can check the caller identity...
[root@pmm-0 opt] # aws sts get-caller-identity
{
"UserId": "AAAAAAAAAAAAAAAAAAAAA:botocore-session-1744757000",
"Account": "999999999999",
"Arn": "arn:aws:sts::999999999999:assumed-role/pmm-server-role/botocore-session-1744757000"
}
... and assume the target role
[root@pmm-0 opt] # aws sts assume-role --role-arn arn:aws:iam::000000000000:role/pmm-assumable --role-session-name testing
{
"Credentials": {
"AccessKeyId": "ABCDEFGH12345678IJKL",
"SecretAccessKey": "01234567890ABCDEFGHIJKLMNOPQRDS012345678",
"SessionToken": "ABC123...456DEF=",
"Expiration": "2025-04-15T23:43:51+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "A1B2C3D4E5F6G7H8I9J0K1L2:pmm-k8Assume",
"Arn": "arn:aws:sts::000000000000:assumed-role/pmm-assumable/testing"
}
}
As suggestion we could fill Amazon RDS access key and Amazon RDS secret key, or fill the role arn we can assume as the following print.
When we hit Discover pmm could under the hood assume that target role and list RDS instances.
Not familiar with the project structure but I think there will be changes here and here
Any updates please let us know.
Hi All
Can anyone tell me is this feature enabled?
Regards Sarma
