5

I'd like to programmatically list my RDS database instances and cluster snapshots, so I've attached the following IAM policy directly to one of my users:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadProdSnapshotsAndInstances",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:DescribeDBClusterSnapshots"
            ],
            "Resource": "*"
        }
    ]
}

But when I execute the following as that user (using the AWS Node.js SDK)...

rds.describeDBInstances({}, (error, data) => {
    ...
});

...I get the following error:

AccessDenied: User: arn:aws:iam::<accountId>:user/<userName> is not authorized to perform: rds:DescribeDBInstances

Any idea what I'm doing wrong? This seems like it should be so simple.

Rob Johansen
  • 4,576
  • 7
  • 37
  • 68

1 Answers1

2

You policy is correct for displaying RDS instances and cluster snapshots. Post your entire code so that we can see what the issue is. Also double check your usage of credentials.

Note: I did not test Aurora only RDS SQL Server.

I ran your policy thru the IAM Policy Simulator. DescribeDBInstances and DescribeDBClusterSnapshots passed while other commands failed.

I created a new user "testusers3". I attached your policy to this user.

I downloaded the credentials for this new user and created the profile "testusers3" using the AWS CLI.

The AWS CLI command aws --profile testusers3 rds describe-db-instances works correctly. Other commands such as aws --profile testusers3 rds stop-db-instance --db-instance-identifier XXX fail correctly.

Then I wrote the following Python program to test. This program can correctly display our RDS instances. 

import boto3
session = boto3.Session(profile_name='testusers3')
client = session.client('rds')
r = client.describe_db_instances();
for i in r['DBInstances']:
        print(i['DBInstanceIdentifier'], i['DBInstanceClass'], i['Endpoint']['Address'])
John Hanley
  • 44,336
  • 6
  • 35
  • 81