stackoom
  简体   繁体   中英

How to add the ip of an instance in a vpc to the security group of rds ec2 classic instance with aws cli

 原文  2019-12-03 09:02:10       amazon-web-services/ amazon-ec2/ amazon-rds/ aws-cli

Question

I describe my scenario which is not like the one described here Unable to add Ec2 VPC Security group in Non VPC RDS MySQL Security group? or here Adding Spot Instances to the Security Group of an RDS Instance : I have a fleet of spots in a ec2 vpc and I want to give you access to a rds data base that is in ec2 classic. Just like the second link, my spots are renewed from time to time and I have to be able to add the ip of the lawnched machine to the security group of the rds instance.

The configuration from the console is possible and works fine, just go to the security group of your rds instance and add a rule with a CIDR/IP.

But by doing so by cli with this command: aws rds authorize-db-security-group-ingress --db-security-group-name default --cidrip xxx.xx.x.xxx/32

I get this error: HTTPSConnectionPool(host='ec2.eu-west-1c.amazonaws.com', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<botocore.awsrequest.AWSHTTPSConnection object at 0x__________>: Failed to establish a new connection: Errno -2] Name or service not known',))

Details

  • I created an IAM user with this Permissions boundary: AuthorizeDBSecurityGroupIngress

  • Both spots vpc and rds ec2 classic instances are in the same eu-west-1c availability zone.

In the documentation of the command don't specify specifically that you can't do https://docs.aws.amazon.com/cli/latest/reference/rds/authorize-db-security-group-ingress.html . Also it would be strange that it can be done from the console and not from the cli.

I don't know what I'm missing, any ideas?

2 answers

solution1
 0  2019-12-03 19:14:14

There's another way of using Security Groups, instead of using an IP, you use a security group ID.

For example:

You create a new security group, let's call it "MySpecialSG". Don't add any rules to this SG.

Then create a new SG, let's call it "Allow my Other SG". Now you will add an inbound rule, but instead of using IPs, you will use "MySpecialSG" group ID and the port you need.

This last SG is the one that you will assign to your DB instance.

solution2
 0  2019-12-13 08:16:03

I've finally solved the problem. The solution was that I was not adding the IAM user credentials with the access policy necessary to perform that action.

To use aws cli through the user-data of the instance you have to export the credentials of that IAM user as environment variables.

Info:

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why the EC2 instance is not able to access the RDS instance, if we set publicly access to 'No' with default VPC and Security group? How to ping an EC2 instance running in the same vpc same subnet but different security group in AWS What are the security group rules for Amazon RDS dbinstance and EC2 instance over the different VPCs with VPC Peering? How to know a EC2 instance is EC2 Classic or EC2 VPC instance? How can I give multiple vpc access to a classic ec2 instance using security groups Unable to add Ec2 VPC Security group in Non VPC RDS MySQL Security group? Connect a EC2 instance from a VPC to instance in EC2-Classic How do I assign a new security group to an EC2 instance without removing the currently attached security groups using AWS CLI? How to add a HTTPS inbound rule to a security group on an Amazon AWS EC2 instance? How to automatically add an autoscaled EC2 instance to a Security Group?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM