rds: Failed to create a Database Instance with Kerberos authentication configured

[badmintoncryer]

Describe the bug

When setting up Kerberos authentication for an Instance, the arguments domain and domainRole can be provided. Here, if domainRole is undefined, a default IAM role is created, but using that role results in the failure of the Instance creation.

Expected Behavior

The instance is successfully deployed.

Current Behavior

The deployment of the Instance fails as follows.

instance-kerberos | 3:55:29 AM | CREATE_FAILED        | AWS::RDS::DBInstance                        | Database (DatabaseB269D8BB) Resource handler returned message: "IAM role provided is not valid, please check that the role exists and has the correct policies (Service: Rds, Status Code: 400, Request ID: 8c7fcae7-6b35-4689-a6e8-4882d7c330b0)" (RequestToken: 724c9cf1-a9a0-9f26-345d-0434f73c3d3d, HandlerErrorCode: InvalidRequest)

Reproduction Steps

By deploying the following code, the error can be reproduced.

import * as cdk from 'aws-cdk-lib/core';
import * as integ from '@aws-cdk/integ-tests-alpha';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as rds from 'aws-cdk-lib/aws-rds';

const app = new cdk.App();

const stack = new cdk.Stack(app, 'instance-kerberos');
const vpc = new ec2.Vpc(stack, 'VPC');

new rds.DatabaseInstance(stack, 'Database', {
  engine: rds.DatabaseInstanceEngine.mysql({
    version: rds.MysqlEngineVersion.VER_8_0_35,
  }),
  instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.MEDIUM),
  vpc,
  domain: 'd-12345678',
});

Possible Solution

Add directoryservice.rds.amazonaws.com as a principal in the assume role.

Additional Information/Context

No response

CDK CLI Version

2.116.1

Framework Version

No response

Node.js Version

v20.10.0

OS

irreable

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

According to this
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-setting-up.html

We probably need to add directoryservice.rds.amazonaws.com into the service principals.

Before we have a PR to improve that, you can work it around with escape hatches like

    const instance = new rds.DatabaseInstance(this, 'Database', {
      engine: rds.DatabaseInstanceEngine.mysql({
        version: rds.MysqlEngineVersion.VER_8_0_35,
      }),
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.MEDIUM),
      vpc,
      domain: 'd-12345678',
    });

    const instanceRole = instance.node.tryFindChild('RDSDirectoryServiceRole') as iam.Role
    (instanceRole.node.tryFindChild('Resource') as iam.CfnRole).addPropertyOverride('AssumeRolePolicyDocument.Statement.0.Principal.Service', [
      'directoryservice.rds.amazonaws.com',
      'rds.amazonaws.com',
    ])

And cdk synth to verify it's included in the service principal array:

  "DatabaseRDSDirectoryServiceRole55FFAFD0": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "AssumeRolePolicyDocument": {
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
        "Service": [
         "directoryservice.rds.amazonaws.com",
         "rds.amazonaws.com"
        ]
       }
      }
     ],
     "Version": "2012-10-17"
    },

[badmintoncryer]

I have created a pull request for the modification(#28601), but I am planning to make it ready for review after #28559 has been merged.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.