- Newest
- Most votes
- Most comments
RDS Postgres can be configured to connect to an AWS Managed Active Directory for user authentication. The AWS Managed Active Directory can then be connected to an on-premises AD through a forest trust.
This will allow you to authenticate users from either directory.
The following two links explains how to set this up. https://aws.amazon.com/about-aws/whats-new/2019/10/amazon-rds-for-postgresql-supports-user-authentication-with-kerberos-and-microsoft-active-directory/ https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/scenario-2.html
This step is the bulk of the work: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-setting-up.html
The way RDS Postgres manages users is that a local Postgres database user will still need to be created to match the AD account for every user that needs access. I don't believe its possible to do this for an AD group and have all users in the group just work
Therefore, just because the RDS instance is using kerberos to AD, it doesn't automatically give users access.
You will need to run PSQL commands like these: CREATE USER "username@CORP.EXAMPLE.COM" WITH LOGIN; GRANT rds_ad TO "username@CORP.EXAMPLE.COM";
Note that the capitalization of the domain is essential. It must be in CAPITALS. The username is also case sensitive and must match the username in AD (windows ignores the case so you might not be aware of any capitalization in user names)
Relevant content
- Accepted Answerasked 3 years ago
- asked a month ago
- asked 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago