You can translate the question and the replies:

RDS metadata and IAM based authentication

Hi, I am currently working on configuring RDS to be used for storing denodo metadata. As a security requirement, we need to secure the RDS via one of the two methods - Use IAM based authentication for RDS instances - Rotate the db user passwords on a set frequency using the secrets manager. Can you please let me know if this can be achieved and point me in the right direction. Regards V
user
26-10-2022 05:04:25 -0400
code

5 Answers

Hi, For your scenario, I would use the [Credentials vault](https://community.denodo.com/docs/html/browse/8.0/en/vdp/administration/server_configuration/credentials_vault/credentials_vault) feature of the Virtual DataPort. The Credentials Vault feature provides support to obtain credentials from the external vault by specifying the “secret” (account name) of the password vault without specifying the user name and password of the user account during the data source configuration. **1. Use IAM based authentication for RDS instances** Yes, you can use the IAM role to establish a connection from Denodo to the source RDS instances. **2. Rotate the db user passwords on a set frequency using the secrets manager.** Yes. The Denodo Platform allows you to use the Amazon EC2 IAM role by using the Default Credential Provider authentication or AWS Access keys authentication to connect to the AWS Secret Manager(credential provider). Rotating the database user passwords enables you to replace long-term passwords with short-term ones, which reduces the risk of compromise. I would follow steps mentioned below to authenticate with the RDS data source via the Amazon EC2 IAM role: Enable the external credential vault for the Virtual DataPort by navigating to **"Administration>Server Configuration>Credential Vault"** section. Now, select the [AWS Secret Manager](https://community.denodo.com/docs/html/browse/8.0/en/vdp/administration/server_configuration/credentials_vault/aws/aws) as Provider and select the appropriate Authentication type. Configure the RDS data source to use the relevant Credentials vault method in the Authentication drop-down box. For more details on configuring JDBC data sources you could refer to the [JDBC Sources](https://community.denodo.com/docs/html/browse/8.0/en/vdp/administration/creating_data_sources_and_base_views/jdbc_sources/jdbc_sources#connecting-to-a-jdbc-source-with-kerberos-authentication:~:text=Authentication.%20The%20options%20are%3A) section of the Virtual DataPort Administration Guide. Hope this helps!!
Denodo Team
26-10-2022 08:39:15 -0400
code
Thanks for the quick reply but the answer is wrong! If you read my question - the first line clearly says the requirement for RDS to store denodo metadata but the answer is for - how to use the RDS as a data source. :) Can you please confirm. Thanks V
user
26-10-2022 08:59:41 -0400
Hi, I would like to let you know that currently it is possible to use Credentials Vault for JDBC data source. For your scenario,related to Metadata Database Configuration with RDS, you could refer to list of databases supported in [**Databases supported**](https://community.denodo.com/docs/html/browse/8.0/en/vdp/administration/server_configuration/storing_catalog_on_external_database/storing_catalog_on_external_database#databases-supported) section of the Virtual DataPort Administration Tool for more information. If you are a valid support user I suggest you raise a support case at the [Denodo Support site](https://support.denodo.com/) so the Denodo team could help you on evaluating the feasibility of configuring metadata database with RDS. Hope this helps!!
Denodo Team
27-10-2022 09:44:23 -0400
code
Hi, Thanks for clarifying your earlier answer. I have gone thru the documentation which you sent. If you want this can be raised via our support account as well. But since the documentation(which is public) I thought it would be better to ask the question here on the community forum. Hope you don't mind. Let me qualify the question - We are planning to use **Postgres or MySQL running on AWS RDS service to store denodo metadata**. To that end, can you please clarify - if denodo supports * Use IAM based authentication for Postgres instance on RDS * Rotate the db user passwords on a set frequency using the secrets manager. Thanks as always. V
user
27-10-2022 10:03:09 -0400
Hi, For your scenario, you can use **Amazon Aurora MySQL** and **Amazon Aurora PostgreSQL** for Metadata database configuration as an alternative for connecting to AWS RDS Postgres or MySQL as Metadata database. However, only username and password type of authentication is only possible currently for Metadata Database configuration (Using IAM based authentication is not supported now). There is an enhancement registered in Denodo Support site to use Credentials Vault for Metadata Database configuration which will support accessing secrets from Secret Manager. If you are a valid support user, I suggest you raise a support case at the [**Denodo Support site**](https://support.denodo.com/) to register for this enhancement. Hope this helps!!
Denodo Team
28-10-2022 07:58:24 -0400
code
You must sign in to add an answer. If you do not have an account, you can register here