[英]AWS RDS Proxy configuration
I need to create a VPC + RDS Postgres DB + RDS Proxy with private su.nets, I'm setting up everything with CloudFormation using serverless.我需要使用私有 su.net 创建一个 VPC + RDS Postgres DB + RDS 代理,我正在使用无服务器的 CloudFormation 设置所有内容。
I'm able to configure everything except the RDS Proxy, when I run serverless deploy
the deployment hangs when creating the Target group
and eventually shows a timeout error.我能够配置除 RDS 代理之外的所有内容,当我运行serverless deploy
时,部署在创建Target group
时挂起并最终显示超时错误。
This is what I see in the AWS Console, even if I do the full process manually:这是我在 AWS 控制台中看到的,即使我手动完成了整个过程:
When I run aws rds describe-db-proxy-targets --db-proxy-name so-proxy-rds-db-proxy
this is what I get:当我运行aws rds describe-db-proxy-targets --db-proxy-name so-proxy-rds-db-proxy
这就是我得到的:
{
"Targets": [
{
"Endpoint": "so-proxy-rds-db.csy8ozys6dtv.us-west-2.rds.amazonaws.com",
"RdsResourceId": "so-proxy-rds-db",
"Port": 5432,
"Type": "RDS_INSTANCE",
"Role": "READ_WRITE",
"TargetHealth": {
"State": "UNAVAILABLE",
"Reason": "AUTH_FAILURE",
"Description": "Proxy does not have any registered credentials"
}
}
]
}
However I'm able to see them in the Secrets Manager.但是,我能够在 Secrets Manager 中看到它们。 This is the reproducible configuration:这是可重现的配置:
service: so-proxy-rds
frameworkVersion: "=2.49.0"
variablesResolutionMode: 20210326
configValidationMode: error
provider:
name: aws
runtime: nodejs14.x
region: us-west-2
versionFunctions: false
memorySize: 1024
timeout: 30
resources:
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: vpc
PrivateSubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: VPC
CidrBlock: 10.0.2.0/24
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
Tags:
- Key: Name
Value: private-A
PrivateSubnetB:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: VPC
CidrBlock: 10.0.3.0/24
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
Tags:
- Key: Name
Value: private-B
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
Tags:
- Key: Name
Value: private
PrivateSubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: PrivateSubnetA
RouteTableId:
Ref: PrivateRouteTable
PrivateSubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: PrivateSubnetB
RouteTableId:
Ref: PrivateRouteTable
OpenSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: 'Open firewall'
GroupName: ${self:service}-open
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
IpProtocol: "-1"
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: "-1"
VpcId:
Ref: VPC
DBSubnetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: DB subnet group
SubnetIds:
- Ref: PrivateSubnetA
- Ref: PrivateSubnetB
PostgresDB:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: db
DBName: test_db
AllocatedStorage: 20
DBInstanceClass: db.t2.micro
DBSubnetGroupName:
Ref: DBSubnetGroup
Engine: postgres
EngineVersion: 11.12 # only up to version 11 supports proxy
MasterUsername: test_user
MasterUserPassword: test_pass
PubliclyAccessible: false
VPCSecurityGroups:
- Ref: OpenSecurityGroup
DeletionPolicy: Delete
ProxySecretValues:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: proxy-secrets
SecretString: '{"username":"test_user","password":"test_pass"}'
DBProxy:
Type: AWS::RDS::DBProxy
Properties:
DBProxyName: db-proxy
EngineFamily: POSTGRESQL
RoleArn:
Fn::GetAtt:
- DBProxyRole
- Arn
Auth:
- AuthScheme: SECRETS
IAMAuth: DISABLED
SecretArn:
Ref: ProxySecretValues
VpcSubnetIds:
- Ref: PrivateSubnetA
- Ref: PrivateSubnetB
VpcSecurityGroupIds:
- Ref: OpenSecurityGroup
DBProxyTargetGroup:
Type: "AWS::RDS::DBProxyTargetGroup"
Properties:
DBInstanceIdentifiers:
- Ref: PostgresDB
DBProxyName:
Ref: DBProxy
TargetGroupName: default
DBProxyRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "rds.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- Ref: DBProxyPolicy
RoleName: db-proxy-role
DBProxyPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: db-proxy-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "secretsmanager:*"
Resource: '*'
- Effect: Allow
Action:
- "kms:*"
Resource: '*'
Any help is greatly appreciated, thanks.非常感谢任何帮助,谢谢。
I dont see the role for roleArn entry declared in your "DBProxy" resource.我没有看到在您的“DBProxy”资源中声明的 roleArn 条目的角色。
See the documentation:请参阅文档:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxy.html?icmpid=docs_cfn_console_designer https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxy.html?icmpid=docs_cfn_console_designer
Take note of the "RoleArn" in the CF snippet below:请注意以下 CF 片段中的“RoleArn”:
"Resources": {
"TestDBProxy": {
"Type": "AWS::RDS::DBProxy",
"Properties": {
"DebugLogging": true,
"DBProxyName": {
"Ref": "ProxyName"
},
"EngineFamily": "MYSQL",
"IdleClientTimeout": 120,
"RequireTLS": true,
"RoleArn": {
"Ref": "BootstrapSecretReaderRoleArn"
},
"Auth": [
{
"AuthScheme": "SECRETS",
"SecretArn": {
"Ref": "BootstrapProxySecretArn"
},
"IAMAuth": "DISABLED"
}
],
"VpcSubnetIds": {
"Fn::Split": [
",",
{
"Ref": "SubnetIds"
}
]
}
}
}
I'm unable to replicate the same error you had but I had the same error msg and managed to resolve it by going to Cloudwatch service and search for 'rds/proxy' log group.我无法复制您遇到的相同错误,但我收到了相同的错误消息,并设法通过转到 Cloudwatch 服务并搜索“rds/proxy”日志组来解决它。 you will able to get a more granular error message.您将能够获得更详细的错误消息。 The output for aws rds describe-db-proxy-targets --db-proxy-name so-proxy-rds-db-proxy
was very misleading. aws rds describe-db-proxy-targets --db-proxy-name so-proxy-rds-db-proxy
非常具有误导性。 In my case, I never gave rds permission to assume my proxy role.就我而言,我从未授权 rds 担任我的代理角色。 It can be quickly fixed with它可以快速修复
Statement:
- Effect: Allow
Principal:
Service:
- "rds.amazonaws.com"
Action:
- "sts:AssumeRole"
hope this will be helpful.希望这会有所帮助。
Did u fix this issue ?你解决了这个问题吗? i'm facing the same.. @marcos我面临同样的问题..@marcos
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.