LogoLogo
Main SiteStart Now
  • Home
    • What Is BastionZero?
      • Server Access
      • Database Access
      • Kubernetes Access
      • Web Server Access
    • Product Security
    • Architecture
    • Taxonomy
  • Deployment
    • Getting Started
    • Installing the ZLI
    • Installing the Agent
    • Installing the Desktop App
  • Automation & Integrations
    • CircleCI
    • GitHub Actions
    • Go SDK
    • Google Cloud Run
    • Slack
      • Using the BastionZero app for Slack
    • Terraform
    • Third-Party Clients
  • Admin Guide
    • Authentication
      • SSO Management
      • User Management
      • MFA Management
      • Service Accounts Management
    • Authorization
    • Auditing
    • Target and Connection Management
  • How To Guides
    • Passwordless Database Access
      • Passwordless Access to MySQL and Postgres on GCP Cloud SQL
      • Passwordless Access to AWS RDS PostgreSQL
      • Passwordless Access to AWS RDS MySQL
      • Passwordless Access to Self-Hosted Postgres
    • How to use BastionZero to connect to a Linux Host using the ZLI
    • How to use BastionZero to manage SSH Keys
  • User Guide
    • Installing the ZLI
    • ZLI Cheat Sheet
    • Connecting to Your Targets
    • Troubleshooting Guide
  • ZLI Reference Manual
  • API Specification
  • Getting Help
  • Security Policy
  • Open Source Software Credits
    • Backend Services
    • Bzero Agent
    • Client Daemon
    • Desktop App
    • Go SDK
    • Helm Provider
    • Terraform Provider
    • Web App
    • ZLI
  • Product Changes
  • Service Status
  • GitHub
Powered by GitBook

Copyright © 2024

On this page
  • Introduction
  • Preparing your BastionZero Account
  • AWS IAM Role Configuration
  • Attach Permissions Policies
  • Creating IAM Role
  • Set up the trust relationship
  • Attach the newly created Policy to the Role
  • Review and create the Role
  • Launch an EC2 Instance
  • Create a new key pair or choose an existing one
  • Configure Advanced Details
  • View Instances
  • Install the BastionZero Agent on EC2
  • Create and Configure RDS Database
  • Navigate to the RDS Dashboard
  • Create a new RDS Database
  • Configure the Database
  • Start the Database
  • Attach RDS instance to EC2 instance
  • Connect to the database
  • Create the "db_userx" user
  • Create BastionZero Targets & Policies
  • Add a Database Target in BastionZero
  • Add a Proxy Policy in BastionZero
  • Establish a Connection to the Database Using the ZLI
  • Connect to the Database
  • Conclusion
  1. How To Guides
  2. Passwordless Database Access

Passwordless Access to AWS RDS PostgreSQL

Configure access to your RDS PostgreSQL databases without the need for traditional passwords.

PreviousPasswordless Access to MySQL and Postgres on GCP Cloud SQLNextPasswordless Access to AWS RDS MySQL

Last updated 6 months ago

The BastionZero product is maintained for existing BastionZero customers only.

Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s service.

Introduction

In this guide, we'll show you how to set up passwordless access to your RDS PostgreSQL databases without the need for traditional passwords.

There are seven basic steps to this process:

  1. Prepare your BastionZero Account

  2. Configure AWS IAM Role

  3. Launch an EC2 Instance

  4. Install BastionZero agent on EC2 Instance

  5. Create & Configure an RDS Database

  6. Attach RDS instance to EC2 instance

  7. Create BastionZero access policy

Preparing your BastionZero Account

For the purposes of this guide, we will assume you have already, have your, and have the. Once that is complete, we’ll do a few things in our BastionZero account to set ourselves up for success as outlined below:

  • Log in to BastionZero web app at

  • Create a registration key

We'll use this registration key for installing the agent below. Hang onto it!

AWS IAM Role Configuration

Attach Permissions Policies

  • Head to the IAM policies page. Click on "Create policy"

  • In the JSON tab of the create policy screen, replace any existing content with the following JSON object. You need to modify the Resource definition to match the database you wish to access in a password-less fashion. The general structure is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "rds-db:*",
            "Resource": "arn:aws:rds-db:RDS_DATABASE_REGION:YOUR_AWS_ACCOUNT_ID:dbuser:*/*"
        }
    ]
}
  • Click on "Next."

  • Name the policy, for example, "RDS_Impersonation_Policy."

  • Click on "Create policy."

Creating IAM Role

  • Access IAM (Identity & Access Management) in the AWS console.

  • Click on "Roles" then "Create role."

Set up the trust relationship

  • Select "AWS service" as the type of trusted entity.

  • For the service that will use this role, choose "EC2".

  • Click on "Next".

Attach the newly created Policy to the Role

  • In the search box, search for the name of the policy you just created (e.g. "RDS_Impersonation_Policy").

  • Check the box next to your newly created policy.

  • Click "Next: Review."

Review and create the Role

  • Enter the role name, for instance, "RDS Impersonator."

  • Review the role and click "Create role."

  • Now you have successfully created an IAM Role User "RDS Impersonator" with a role that lets the "RDS Impersonator" authenticate as a database user.

Launch an EC2 Instance

  • Navigate to the EC2 Dashboard by selecting "EC2" from the list of services.

  • Click on the "Launch Instances" button.

  • Give your instance a name.

  • Choose an Amazon Machine Image (AMI).

  • Choose an instance type (we’re using a t.2 micro in this case).

Create a new key pair or choose an existing one

  • When you launch your instance, you need to select a key pair that you'll use to SSH into your instance to install the BastionZero agent. If you don't have an existing key pair, you can create a new one. Be sure to download and securely store the private key file (.pem).

Configure Advanced Details

  • In the "Advanced Details" section, look for the "IAM instance profile" field. It is in this drop-down list that you'll select the IAM role that you want to assign to the EC2 instance. Click on the "IAM instance profile" drop-down list and you should see the "RDS Impersonator" role that you created earlier. Select this role.

  • After you've selected the role, continue to configure storage, add tags, and configure the security group as per your requirement.

  • Review your choices and then click "Launch."

View Instances

  • Click on "View Instances" to go back to your EC2 Dashboard. Here, you should see your instance launching.

  • It may take a few minutes for your instance to launch. Once it's running, you can connect to it using the key pair that you specified when launching the instance.

Install the BastionZero Agent on EC2

  • SSH into your EC2 instance.

  • Name the target something memorable; we'll need it when we create a database target below.

Create and Configure RDS Database

Navigate to the RDS Dashboard

  • From the services list, select "RDS" to access the RDS Dashboard.

Create a new RDS Database

  • Click on "Create database."

  • Select the "Standard Create" method and choose the PostgreSQL engine.

  • Choose the version of PostgreSQL that suits your needs.

  • Enter the details under "Settings." Here, the Master username will be "postgres" by default, and you will be asked to enter a password. Remember this password, as you will need it to connect to the database and add your passwordless user.

Configure the Database

  • Specify the Database details as needed like DB instance identifier, instance size, storage, etc.

  • Under "Connectivity," make sure your database is publicly accessible if you need to access it from outside of AWS.

  • Choose the VPC, Subnet Group, Publicly Accessible settings, VPC Security Group(s), and Availability Zone based on your needs.

Start the Database

  • After all the details have been specified, click on "Create database" at the bottom of the page.

  • Your RDS instance will now be set up. This can take a few minutes.

Attach RDS instance to EC2 instance

  • In the database menu, click “Actions” in the top right and select “Set up EC2 connection.”

  • Select the EC2 instance from above and click “Confirm and set up.”

Connect to the database

  • After the database is available, click on the DB instance name to get the details, including the endpoint.

  • Use a SQL client to connect to the database. You'll need the endpoint, port (usually 5432 for PostgreSQL), username ("postgres"), and the password you created earlier.

Create the "db_userx" user

CREATE USER db_userx; GRANT rds_iam TO db_userx;

Create BastionZero Targets & Policies

Add a Database Target in BastionZero

  • Click the "Create" button in the top right and select "Database."

  • Give your target a name (e.g., rds-psql).

  • Select the Proxy Target or Proxy Environment as the proxy type. This should be either the target you installed the BastionZero agent on that has access to your database, or an environment with multiple targets with the BastionZero agent installed.

  • Select "Service account injection" for the Authentication Type.

  • Set the Database Type to "AWS Postgres."

  • In the "Remote Host" field, enter the instance connection name from AWS RDS (e.g., database-1.cdmphnzvju0l.us-east-1.rds.amazonaws.com). Based on the authentication method and database type chosen, BastionZero will prepend the protocol prefix if it is not provided with the instance name; so you can safely omit the rds://.

  • In the "Remote Port" field, enter the remote database port (e.g.,5432).

  • In the “Local Host” field, enter localhost.

  • Set the “Local Port” to your desired local port (e.g., “1501”). If you do not require this target to open on a specific port, we recommend you leave this field blank, and BastionZero will choose an available port for you at time of connection in step 10.

  • Select the environment to place this database target into.

  • Click "Add" to create the database target.

  • You should see this target appear on the Targets page.

Add a Proxy Policy in BastionZero

  • Click on "Create" in the top right and select "Policy."

  • In the “Policy Type” select “Proxy.”

  • In the "Policy Name" field, enter a name for your policy.

  • In the "Users" section, add users from your IdP who you’d like to be able to access the remote database (this can also include groups or service accounts if those need access, too).

  • Under "Resource Type" - you can either opt to write a policy against the database target explicitly by using the "Targets" section or an environment. In this example, the below policy is written for targets in the Production environment.

  • In the “Allowed Target Users” section, add the database user from AWS (e.g., db_userx).

  • Click "Save" to create the policy.

Establish a Connection to the Database Using the ZLI

  • From your terminal using the zli, run:

zli connect {database_username}@{database target name}
zli connect db_userx@rds-psql

The command line will output a port that can then be used to connect to the database. This will either be the port number you assigned when creating the target or an available port that BastionZero assigned for you.

Connect to the Database

In your database client, you’ll need to specify only your username.

Conclusion

Congratulations! You have successfully completed all the necessary steps to set up your passwordless access to AWS RDS PostgreSQL. You should now be able to establish a secure connection to your database using the ZLI and your specified username. This marks the completion of your setup and configuration process.

We can grab a registration key from the BastionZero web interface at. Once you sign in, select "Create" in the upper righthand corner and choose "API Key."

In the example policy shown above, the service is rds-db, the region is us-east-1, the account-id should be your own account ID, and the resource-type/resource-ID is dbuser:*/*, indicating this policy applies to all database users in all databases within your RDS service.

Download and install the BastionZero agent according to the instructions provided by BastionZero. You'll need your registration key from the "Preparing Your Account" section above.

Verify that the target is available in the targets interface at.

Once you're connected, you can add a new user. Run the following command to :

Navigate to the "" section of the BastionZero cloud app.

Navigate to the "" section of the BastionZero web app.

Access for Infrastructure
signed up for a BastionZero account
BastionZero account integrated with your IDP
ZLI installed on your local machine
cloud.bastionzero.com
cloud.bastionzero.com
here
cloud.bastionzero.com
create the "db_userx"
Targets
Policies