Introduction:
Connecting your JetBrains IDE to Amazon RDS databases with AWS Single Sign-On (SSO) can be a powerful way to streamline your development workflow. This guide will walk you through the steps required for setup, both on the administrative and user sides. Let's get started!
Prerequisites for accessing Amazon RDS databases
Before you can connect to an Amazon RDS database using AWS Toolkit for JetBrains, you need to complete the following tasks:
AWS IAM Identity Center is the recommended best practice for managing your AWS account authentication.
AWS Toolkit for JetBrains enables you to connect to an Amazon RDS DB instance that's already been created and configured in AWS. A DB instance is an isolated database environment running in the cloud that can contain multiple user-created databases.
Step 1: Creating a database account using IAM authentication
(By Admins)
With IAM database authentication, you don't need to assign database passwords to the user accounts you create. If you remove a user that is mapped to a database account, you should also remove the database account with the DROP USER statement.
- Using IAM authentication with MariaDB and MySQL
With MariaDB and MySQL, authentication is handled by AWSAuthenticationPlugin—an AWS-provided plugin that works seamlessly with IAM to authenticate your users. Connect to the DB instance as the master user or a different user who can create users and grant privileges. After connecting, issue the CREATE USER statement, as shown in the following example.
CREATE USER data_scientist IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
- Using IAM authentication with PostgreSQL
To use IAM authentication with PostgreSQL, connect to the DB instance as the master user or a different user who can create users and grant privileges. After connecting, create database users and then grant them the rds_iam role as shown in the following example.
CREATE USER data_scientist;
GRANT rds_iam TO data_scientist;
Step 2: IAM Policy Setup (By Admins)
In the AWS account, an IAM policy needs to be created with the following permissions:
- Grant the user permission to DescribeDBInstances and DescribeDBClusters.
- Grant the user permission to rds-db:connect, but only to the specified database instance (e.g., data-db) and for the database user (e.g., data_scientist). Note that you can set both permissions with conditional access based on your VPN IP. Here's the IAM policy for reference:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBClusters"
],
"Resource": [
"arn:aws:rds:us-east-1:01233456789:db:*",
"arn:aws:rds:us-east-1:01233456789:cluster:*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "123.456.78.901"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "arn:aws:rds-db:us-east-1:01233456789:dbuser:*data-db*/data_scientist",
"Condition": {
"IpAddress": {
"aws:SourceIp": "123.456.78.901"
}
}
}
]
}
Step 3: Attach the IAM Policy to Permission Set (By Admins)
- Attach the IAM policy (Customer managed policies) created in Step 1 to the Developers-Permission-Set or any other existing permission set. This step enables users to use JetBrains IDEs like DataGrip.
Step 4: DataGrip Setup (By Users)
Install DataGrip or any other JetBrains product like PyCharm.
Install the DataGrip's AWS Toolkit plugins:
Go to Preferences > Plugins, search for AWS Toolkit, install it, and restart DataGrip.
The user should have the ~/.aws/credentials file on their computer.
The profile must include the following additional arguments:
[profile test-rds-iam-auth]
sso_session = test-rds-iam-auth
sso_account_id = 01233456789
sso_role_name = test-rds-iam-auth
region = us-east-1
sso_start_url = https://uri-peled.awsapps.com/start#
sso_region = us-east-1
Please note that the below 2 arguments are MUST:
sso_start_url = https://uri-peled.awsapps.com/start#
sso_region = us-east-1
Step 5: SSO Configuration in DataGrip (By Users)
Complete the following steps to authenticate with your AWS account using existing IAM Identity Center credentials, from the AWS Toolkit for JetBrains.
To sign in with IAM Identity Center using the AWS Toolkit for DataGrip (JetBrains), follow these steps:
Open AWS Connection Settings from the AWS Toolkit for JetBrains by clicking the ... (ellipsis) icon.
In the AWS Connection Settings menu, select "Add New Connection" to open the AWS Toolkit: Add Connection dialog.
In the AWS Toolkit: Add Connection dialog, choose the "Connect using AWS IAM Identity Center" option, enter your IAM Identity Center portal URL into the "Start URL" field, and click "Connect."Follow the prompts to complete the authentication process.
Step 6: Connect to Amazon RDS Database (By Users - when connecting)
In DataGrip:
- Open the AWS Explorer if it isn't already open.
- Click the Amazon RDS node to expand the list of supported database engines.
- Right-click on a database and choose "Connect with IAM credentials."
- Verify connection settings and test the connection.
This guide was created based on several AWS, JetBrains and GitHub issues, such as:
- https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/rds-access-prerequisities.html#db-authentication
- https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html#UsingWithRDS.IAMDBAuth.DBAccounts.PostgreSQL
- https://github.com/aws/aws-toolkit-jetbrains/issues/1238
- https://github.com/aws/aws-toolkit-jetbrains/issues/3032
Conclusion:
With these steps, you can seamlessly connect your JetBrains IDE to Amazon RDS or even Redshift databases using AWS SSO. If you encounter any issues or have further questions, don't hesitate to reach out to me.
Top comments (0)