Integrating AWS RDS Aurora with on-prem Microsoft Active directory
Objective: To integrate on-prem Microsoft active directory with AWS RDS, so that on prem users can access AWS RDS using dbeaver client.
AWS RDS: Amazon Relational Database Service is a distributed relational database service by Amazon Web Services.
Microsoft active directory: Active Directory (AD) is a Microsoft technology used to manage computers and other devices on a network.
Steps on AWS:
- Use AWS Directory Service to create an active directory. Eg: cloud.ad
- Create Trust relationship between on prem AD with AWS manage AD
- On prem need to create forwarder as mentioned document, we have to provide AWS manage AD IP(s) and domain name to create the forwarder.
- Then create external trust on on prem AD for this we have to provide AWS manage AD domain name and create trust with password
- On AWS manage AD while creating trust we need to provide on prem domain name “on-prem-adm.domain” and the same password(as created on prem).
- Once we have created AWS manage AD, AWS by default creates security group, in that security group we need to add outbound rule to allow all OnPrem controller IP(s).
Steps to configure dbeaver client on jumpbox:
- Download dbeaver client and install it on your machine
- Create krb5.conf, put these details
[libdefaults]
default_realm = aws-ad.domain
default_ccache_name = /tmp/kerbcache
[realms]
aws-ad.domain = {
kdc = aws-ad.domain
admin_server = aws-ad.domain
}
on-prem-ad.domain = {
kdc = on-prem-ad.domain
admin_server = on-prem-ad.domain
}
[domain_realm]
.aws-ad.domain = aws-ad.domain
aws-ad.domain = aws-ad.domain
.on-prem-ad.domain = on-prem-ad.domain
on-prem-ad.domain = on-prem-ad.domain
.rds.amazonaws.com = aws-ad.domain
.amazonaws.com.cn = aws-ad.domain
.amazon.com = aws-ad.domain3. Create dbeaver.ini with these details
-startupplugins/org.eclipse.equinox.launcher_1.5.700.v20200207-2156.jar--launcher.libraryplugins/org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.1100.v20190907-0426-vmargs-XX:+IgnoreUnrecognizedVMOptions--add-modules=ALL-SYSTEM-Xms64m-Xmx1024m
-Djava.security.auth.login.config=pgjdbc.conf
-Djava.security.krb5.conf=krb5.conf
4. Create pgdbc.conf with these details
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=false
useTicketCache=true
renewTGT=true
debug=true;
};5. Copy the files created above to the dbeaver home directory.
Create a user, here CORP.EXAMPLY.COM is the on-prem AD domain name.
CREATE USER “username@CORP.EXAMPLE.COM” WITH LOGIN;
GRANT rds_ad TO “username@CORP.EXAMPLE.COM”;
6. To create a new server connection for your AD user, use the following custom endpoint like mentioned in point# 4 on this page: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-connecting.html
Thanks….
