2

I want to allow my AWS IAM user to be able to create RDS instances via AWS UI. So added the policy below

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "rds:*",
        "Resource": "*"
    }
]}

While users can get in to "Specify DB details" page, when all information is provided and "Next" clicked, I get the following error:

Currently retrieving account attributes We are currently in the process of retrieving your account attributes. Please try again in a few minutes.

enter image description here Please advise.

Chalaka Salpadoru
  • 107
  • 11
  • 1
    That's not a very clear error to me, but it's possible you need describe in some non rds resource to be able to get through the wizard. Like maybe ec2:Describe* to see subnets and security groups or something. Console access sis rarely as straight forward as API access for that reason. – erik258 Jan 25 '18 at 01:19

1 Answers1

3

According to the documentation:

For a user to work with the Amazon RDS console, that user must have a minimum set of permissions. These permissions allow the user to describe the Amazon RDS resources for their AWS account and to provide other related information, including Amazon EC2 security and network information.

So you seem to be missing some EC2 and network permissions.

The same document suggests using the predefined policies AmazonRDSReadOnlyAccess or AmazonRDSFullAccess. The latter is defined as:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "rds:*",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sns:Publish",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "pi:*",
            "Effect": "Allow",
            "Resource": "arn:aws:pi:*:*:metrics/rds/*"
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "rds.amazonaws.com"
                }
            }
        }
    ]
}
kichik
  • 33,220
  • 7
  • 94
  • 114
  • Shouldn't RDS be standalone service where I can configure it first without even having any EC2 instance up and running? If yes then why do we even need EC2 permissions? – SuicideSheep Jan 25 '18 at 01:32
  • 1
    Because RDS runs on EC2 so it needs to configure a few things like security groups, etc. – kichik Jan 25 '18 at 01:32
  • I've just tried to create a DB instance on RDS without any EC2...not sure if I understand correctly but it seems to me that RDS has nothing to do with EC2 – SuicideSheep Jan 25 '18 at 01:45
  • 1
    Either way, that's what the documentation states the RDS **console** requires. – kichik Jan 25 '18 at 01:45
  • 1
    Amazon RDS requires access to VPC information such as subnets and security groups. That information is retrieved using some of the `ec2:Describe*` commands. – Matt Houser Jan 25 '18 at 02:47