Open r0mant opened 1 month ago
cloudshell has psql
installed, that's how I've done this for private databases.
You have to set it up in the same subnet as the databases (or have a local route) with the right security group configured though:
I don't think we can just hand them a link for that unfortunately.
Another option is to use a Lambda function, which @greedy52 has already tested. By the time they reach this step, we should already have their selected security group and subnets, so we can re-use those for the lambda func. They will still need to provide master user, master user password, and db name to connect to.
@r0mant I think this step might be awkward for us because we are just using throwaway test databases, but not so bad for a customer? They are using these databases for a real purpose already, so they should know how to connect to their own databases by whatever means and provision a postgres role.
I haven't tried this personally, but we should explore RDS data API as well: https://docs.aws.amazon.com/cli/latest/reference/rds-data/
For this issue we decided to just move the IAM user creation step to the first step in the flow. We can recommend cloudshell in that step as well, but we cannot give them a link that creates the custom VPC env automatically.
I don't think there's anything else we can do here, but this should not be a painful step for someone managing a real database.
Once a user gets past the agent deployment step, we ask them to fill out principals and tell that these database users must have
rds_iam
role:This remains probably the most cumbersome step of the flow because a user needs to connect to the database some other way (e.g. by using master user/password) and create the IAM users there. To get it done I had to: install psql locally, hunt down for my database's master user, realize that I don't remember the password and reset it, then connect using psql from my laptop and create the users (which wouldn't have worked at all if the database wasn't available publicly).
Unfortunately, there's no RDS HTTP API for creating the users but I wonder what we can do to simplify this for users. For example, can we implement a helper
teleport
CLI command that creates such users based on the entered principals, generate the command for user and give them a link to CloudShell in the database's VPC they can run similar to the IAM script from the "deploy database service" step?