DynamoDB (IAM)
Overview
A datasource consists of a database resource and the credentials used to access it. This guide describes how to add a DynamoDB (IAM) database as a datasource in the StrongDM Admin UI. This guide covers the configuration of the DynamoDB (IAM) resource type in StrongDM, which uses an EC2-attached IAM role to authenticate with DynamoDB. Once this is set up for the EC2 instances that you intend to use for StrongDM gateways, relays, or proxy cluster workers, your StrongDM users are able to be authenticated to the DynamoDB instance without providing the users or StrongDM with credentials.
If you prefer to use AWS Secret Access Keys instead, see the DynamoDB resource type guide.
Prerequisites
To add a datasource, make sure you have met the following prerequisites:
Resource Setup
In order to connect to and manage the resource, you must define the IAM role you wish to use, with a policy that allows EC2 to assume the role, as in the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}Then attach a policy to that role that grants access to DynamoDB.
It is a best practice that this policy contains the minimum required actions necessary for users of this DynamoDB instance to do their work.
For a resource with role assumption, the
"dynamodb:ListGlobalTables","dynamodb:ListTables", and"dynamodb:ListStreams"actions are the minimum required actions to allow StrongDM to successfully complete healthchecks.The wildcard value for
Resourceis required for the"dynamodb:ListGlobalTables","dynamodb:ListTables", and"dynamodb:ListStreams"actions to function properly because they are not scoped to a specific resource.
The following is an example of a policy that follows such best practices.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"dynamodb:ListGlobalTables",
"dynamodb:ListTables",
"dynamodb:ListStreams",
"dynamodb:Scan",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:DescribeTable"
],
"Resource": [
"*"
]
}
]
}When the EC2 instance is launched, assign the IAM role(s). When the resource is configured with StrongDM, and you have installed your StrongDM gateway, relay, or proxy cluster worker on the EC2 instance, it has the ability to interact with your DynamoDB instance without having to provide credentials to StrongDM.
Add the Resource to StrongDM
To add your DynamoDB (IAM) database as a StrongDM datasource, use the following steps.
Log in to the StrongDM Admin UI.
Go to Resources > Datasources.
Click Add datasource.
Select DynamoDB (IAM) as the Datasource Type and set other configuration properties for your new database resource.
Complete all required fields.
Click Create to save the resource.
Click the resource name to view status, diagnostic information, and setting details.
Resource properties
Configuration properties are visible when you add a datasource or when you click to view its settings. The following table describes the settings available for your DynamoDB (IAM) database.
Display Name
Required
Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Datasource Type
Required
Select DynamoDB (IAM)
Proxy Cluster
Required
Defaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource
Endpoint
Required
API server endpoint of the resource in the format dynamodb.<REGION>.amazonaws.com, such as dynamodb.us-west-2.amazonaws.com; relay server should be able to connect to your resource
Connectivity Mode
Required
Select either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode enabled for your organization
IP Address
Optional
If Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization
Port Override
Optional
If Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings
DNS
Optional
If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)
Region
Required
Region of the resource, such as us-west-2
Secret Store
Optional
Credential store location; defaults to Strong Vault; to learn more, see Secret Store options
Assume Role ARN
Optional
Role ARN, such as arn:aws:iam::000000000000:role/RoleName, that allows users accessing this resource to assume a role using AWS AssumeRole functionality
Assume Role ARN (path)
Optional
If Secret Store integration is configured for your organization and you selected a Secret Store type that is not StrongDM, enter the path to the secret in your Secret Store (for example, path/to/credential?key=optionalKeyName); the key argument is optional
Assume Role External ID
Optional
External ID if leveraging an external ID to users assuming a role from another account; if used, it must be used in conjunction with Assume Role ARN; see the AWS documentation on using external IDs for more information
Assume Role External ID (path)
Optional
If Secret Store integration is configured for your organization and you selected a Secret Store type that is not StrongDM, enter the path to the secret in your Secret Store (for example, path/to/credential?key=optionalKeyName); the key argument is optional
Resource Tags
Optional
Resource Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)
Secret Store options
By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.
Non-StrongDM options appear in the Secret Store dropdown if they are created under Settings > Secrets Management. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.
Resource status
After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the Health icon indicates a positive, green status.
When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.
Last updated
Was this helpful?