Resource in sample IAM Policy is invalid

[aiham]

I tried to create a policy based on the one in the README:

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "rds-data:ExecuteSql",
          "rds-data:ExecuteStatement",
          "rds-data:BatchExecuteStatement",
          "rds-data:BeginTransaction",
          "rds-data:RollbackTransaction",
          "rds-data:CommitTransaction"
        ],
        "Resource": "arn:aws:rds:us-east-1:XXXXXXXX:cluster:YYYYYYYYY"
      },
      {
        "Effect": "Allow",
        "Action": [ "secretsmanager:GetSecretValue" ],
        "Resource": "arn:aws:secretsmanager:us-east-1:XXXXXXXX:secret:ZZZZZZZZZ"
      }
    ]
}

The AWS policy UI showed this error:

Going through with the policy, the visual editor shows a better error:

I found this in the docs:

Amazon RDS Data API does not support specifying a resource ARN in the Resource element of an IAM policy statement. To allow access to Amazon RDS Data API, specify “Resource”: “*” in your policy.

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrdsdataapi.html#amazonrdsdataapi-resources-for-iam-policies

[aiham]

I actually prefer resource-level policies. If you have an alternative syntax that does work please let me know, otherwise all I can find in the AWS documentation is a recommendation to use "Resource": "*".

[ffxsam]

Interesting. The visual editor does complain about it, but the permissions in my IAM role work perfectly fine. I'll reach out to AWS support to get clarification on this.

[jeremydaly]

Mine works fine as well. This is potentially an update as this clearly worked in the past.

[ffxsam]

Here's what AWS tech support had to say:

As best practice we recommend specifying “Resource”: “*” in your policy even though you only want to use the RDS Data API for a specific RDS resource. This is because all the actions defined by the Amazon RDS Data API do not supports resource-level permissions [1]. Thus, using a specific RDS resource you will result in the warning that you see on the visual editor: 'The action in your policy does not support resource-level permissions and require you to choose All resources'. Please note that I have replicated your use case in my test environment and I was able to confirm your observation.

I understand that the public documentation may be misleading by mentioning that "Amazon RDS Data API does not support specifying a resource ARN in the Resource element of an IAM policy statement". With your confirmation, I would like to offer creating and internal ticket to our documentations team so they can amend this statement and mention that a warning will be thrown when you use a specific resource in your policy. However, to my knowledge, the statement in the public documentation is to encourage our customers to use the recommended best practices.

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrdsdataapi.html#amazonrdsdataapi-actions-as-permissions

I also asked a couple of related questions:

Q: "I'm wondering if using specific resources for Data API will eventually be deprecated?" And their reply was:

There is currently no indication that using specific resources will be deprecated, however, the warning that you are receiving indicates that there is violation in the way that the IAM policy for RDS Data API should be configured. IAM policies were designed to be dynamic and flexible to customer's use cases. The public documentation provides guidelines on the best practices to use these policies.

Q: "Should I change my config [to use '*']?"

Yes, I would recommend using “Resource”: “*” in the policy. This will be beneficial in the future should you wish to access another RDS resource using the RDS Data API. Also, should the current resource's ARN change (maybe due to modifying the DB cluster identifier) you would still be able to use the same IAM policy to access the DB cluster using the RDS Data API without having to update the policy.

[ffxsam]

@jeremydaly I don't have any objection to merging #65, do you?

[aiham]

Thanks for getting those answers! Maybe it's worth adding a little explainer to it and linking to your comment here. If I was a future reader I'd probably get the wrong impression on just seeing * used without a good reason.

[aiham]

Also I haven't had a chance to test it myself but wanted to confirm if you have 2 clusters running and specify 1 cluster in the policy resource, will that IAM user correctly be restricted to the 1 cluster or will they have access to both/neither?

[ffxsam]

Yes, I'm pretty positive if you restrict the Resource to just a single cluster, the actions will only be allowed on that cluster. Otherwise that would be a rather big security issue.

It's a bit strange to me that Amazon is encouraging using Resource: * instead of just fixing the actions that don't work with specific resources. Data API still feels very beta to me. They return numbers as strings, and don't support several data types in Postgres (like money).

[aiham]

Yeah that's a pretty confusing recommendation then. I would just link to all of this information from the README, it's quite good to know.

[jeremydaly]

Let me take a look tomorrow morning and verify.

[jeremydaly]

I think we need some context in the README as @aiham suggests. From a security standpoint, you can still control access to individual databases/tables using Secrets Manager. So while I think this is a poor implementation, it doesn't compromise security.

Thanks for the research @ffxsam (and everyone else). I'll merge these changes today and then add some context to the README.