AWS RDS Access from Github Actions

TL;DR

This guide shows you how to securely connect your AWS RDS database from a Github Actions workflow using IAM roles, the AWS CLI, and environment secrets. We’ll cover creating an IAM role with limited permissions, configuring your workflow to authenticate, and connecting to your database.

Prerequisites

• An active AWS account
• An existing RDS database instance
• A Github repository

Step 1: Create an IAM Role for Github Actions

We’ll create a dedicated IAM role with the minimum necessary permissions to access your RDS database. This is much more secure than using broad administrator privileges.

1. Go to the IAM console in AWS.
2. Click “Create role”.
3. Select “AWS service” as the trusted entity type.
4. Choose “Github Actions” from the list of services. You may need to search for it.
5. Click “Next: Permissions”.
6. Attach a policy that allows access to RDS. You can create a custom policy or use an existing one like AmazonRDSReadOnlyAccess (for read-only access) or AmazonRDSFullAccess (use with caution!). For example, the following JSON defines a minimal policy:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "rds:DescribeDBInstances",
           "rds:GenerateAuthenticationToken"
         ],
         "Resource": "arn:aws:rds:::db:*"
       }
     ]
   }

7. Click “Next: Tags” (optional). Add tags for organization.
8. Click “Next: Review”. Give the role a descriptive name, like github-actions-rds-access and review the policy.
9. Click “Create role”.

Step 2: Configure Github Actions Secrets

Store your AWS credentials as secrets in your Github repository. This prevents them from being exposed in your workflow files.

1. Go to your Github repository’s settings.
2. Click “Secrets” and then “Actions”.
3. Click “New repository secret”.
4. Create the following secrets:
   • AWS_ACCESS_KEY_ID: Your AWS access key ID.
   • AWS_SECRET_ACCESS_KEY: Your AWS secret access key.
   • AWS_REGION: The region where your RDS instance is located (e.g., eu-west-1).

Step 3: Update Your Github Actions Workflow

Modify your workflow file to use the AWS CLI for authentication and connect to your database.

1. Add a step to configure the AWS CLI using the credentials stored in secrets. Here’s an example:

   - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ secrets.AWS_REGION }}

2. Add a step to generate an authentication token for your RDS instance:

   - name: Generate Authentication Token
         run: | 
           TOKEN=$(aws rds generate-authentication-token --db-instance-identifier )
           echo "DB_TOKEN=$TOKEN" >> $GITHUB_ENV

3. Add a step to connect to your database using the generated token. The method will depend on the database type (e.g., MySQL, PostgreSQL). For example, for MySQL:

   - name: Connect to MySQL Database
         run: mysql -h  -u  -p${{ secrets.DB_PASSWORD }} --token=$DB_TOKEN 

Step 4: Test Your Workflow

Commit your changes and trigger a workflow run to verify that the connection is successful.

• Check the workflow logs for any errors.
• Ensure that you can successfully query your database.