GavinFrazar
commented
1 month ago cloudshell has psql installed, that's how I've done this for private databases.
You have to set it up in the same subnet as the databases (or have a local route) with the right security group configured though:
I don't think we can just hand them a link for that unfortunately.
Another option is to use a Lambda function, which @greedy52 has already tested. By the time they reach this step, we should already have their selected security group and subnets, so we can re-use those for the lambda func. They will still need to provide master user, master user password, and db name to connect to.
@r0mant I think this step might be awkward for us because we are just using throwaway test databases, but not so bad for a customer? They are using these databases for a real purpose already, so they should know how to connect to their own databases by whatever means and provision a postgres role.
greedy52
Once a user gets past the agent deployment step, we ask them to fill out principals and tell that these database users must have
rds_iamrole:This remains probably the most cumbersome step of the flow because a user needs to connect to the database some other way (e.g. by using master user/password) and create the IAM users there. To get it done I had to: install psql locally, hunt down for my database's master user, realize that I don't remember the password and reset it, then connect using psql from my laptop and create the users (which wouldn't have worked at all if the database wasn't available publicly).
Unfortunately, there's no RDS HTTP API for creating the users but I wonder what we can do to simplify this for users. For example, can we implement a helper
teleportCLI command that creates such users based on the entered principals, generate the command for user and give them a link to CloudShell in the database's VPC they can run similar to the IAM script from the "deploy database service" step?