DynamoDB

Last modified on January 4, 2024

Overview

A datasource consists of a database resource and the credentials used to access it. This guide describes how to add a DynamoDB database as a datasource in the StrongDM Admin UI.

Prerequisites

To add a datasource, make sure you have met the following prerequisites:

  • Properly configure an account for your database resource. If you choose to store credentials for the resource with StrongDM, have those credentials ready. When not using StrongDM, set up a Secret Store integration and be able to enter the location of the secrets required to access the resource.
  • The hostname or endpoint you enter for your resource must be accessible by at least one gateway or relay. To verify this, log in to the gateway or relay and use the nc -zv <YOUR_HOSTNAME> <YOUR_PORT> Netcat command. For example, use nc -zv testdb-01.fancy.org 5432. If your gateway server can connect to this hostname, you can proceed.
  • For a DynamoDB resource with role assumption, successful healthchecks to the resource require the access policy in AWS to contain the following permissions:
    statement {
        effect = "Allow"
        actions = [
            "dynamodb:ListGlobalTables",
            "dynamodb:ListTables",
            "dynamodb:ListStreams"
        ]
        resources = ["*"]
    }
    

Add a Datasource

To add your DynamoDB database as a StrongDM datasource, use the following steps.

  1. Log in to the Admin UI.
  2. Go to Infrastructure > Datasources.
  3. Click Add datasource.
  4. Select DynamoDB as the Datasource Type and set other configuration properties for your new database resource.
  5. Complete all required fields.
  6. Click Create to save the resource.
  7. Click the resource name to view status, diagnostic information, and setting details.

Resource properties

Configuration properties are visible when you add a datasource or when you click to view its settings. The following table describes the settings available for your DynamoDB database.

PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Datasource TypeRequiredSelect DynamoDB
EndpointRequiredAPI server endpoint of the resource in the format dynamodb.<REGION>.amazonaws.com, such as dynamodb.us-west-2.amazonaws.com; relay server should be able to connect to your resource
Port OverrideRead onlyAutomatically generated with a value between 1024 to 59999 as long as that port is not used by another resource; preferred port can be modified later under Settings > Port Overrides; after specifying the port override number, you must also update the kubectl configuration, which you can learn more about in section Port Overrides
RegionRequiredRegion of the resource, such as us-west-2
Secret StoreOptionalCredential store location; defaults to Strong Vault; to learn more, see Secret Store options
Access Key IDRequiredAccess key ID, such as AKIAIOSFODNN7EXAMPLE, from the AWS key pair that you created in Step 1
Access Key ID (path)RequiredIf Secret Store integration is configured for your organization and you selected a Secret Store type that is not StrongDM, enter the path to the secret in your Secret Store (for example, path/to/credential?key=optionalKeyName). The key argument is optional.
Secret Access KeyRequiredSecret access key, such as wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY, from the AWS key pair that you created in Step 1
Secret Access Key (path)RequiredIf Secret Store integration is configured for your organization and you selected a Secret Store type that is not StrongDM, enter the path to the secret in your Secret Store (for example, path/to/credential?key=optionalKeyName). The key argument is optional.
Assume Role ARNOptionalRole ARN, such as arn:aws:iam::000000000000:role/RoleName, that allows users accessing this resource to assume a role using AWS AssumeRole functionality
Assume Role ARN (path)OptionalIf Secret Store integration is configured for your organization and you selected a Secret Store type that is not StrongDM, enter the path to the secret in your Secret Store (for example, path/to/credential?key=optionalKeyName). The key argument is optional.
Assume Role External IDOptionalExternal ID if leveraging an external ID to users assuming a role from another account; if used, it must be used in conjunction with Assume Role ARN; see the AWS documentation on using external IDs for more information
Assume Role External ID (path)OptionalIf Secret Store integration is configured for your organization and you selected a Secret Store type that is not StrongDM, enter the path to the secret in your Secret Store (for example, path/to/credential?key=optionalKeyName). The key argument is optional.
Resource TagsOptionalResource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Secret Store options

By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Resource status

After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

Datasource Ready
Datasource Ready

When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.