This feature enables you to discover and provision common database roles to your RDS databases in AWS seamlessly. Using either IAM credentials or the instance role of the Hoop Gateway, you can quickly grant database access to users.

Be aware that our current implementation resets the master password for RDS instances and stores the new credentials in the Hoop database.

In upcoming releases, we aim to support additional authentication methods for accessing these instances, including AWS Secrets Manager integration and IAM database authentication.

Requirements

  • Access to AWS account with privileges to setup roles and/or IAM credentials
  • Admin access to the Hoop Gateway instance

Configuration

To configure the AWS Connect integration, it needs proper permissions to list resources and modify RDS instances.

Main Account Setup

1

Create IAM Policy

The policy HoopAWSConnect must be created in your AWS account. It will grant the necessary permissions to the IAM user or role that will be used for the integration.

  • Go to IAM > Policy > Create Policy

  • Switch the Policy Editor to JSON and paste the policy below

        {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "organizations:ListAccounts",
                    "rds:DescribeDBInstances",
                    "rds:ModifyDBInstance",
                    "rds:ModifyDBCluster",
                    "ec2:DescribeSecurityGroups",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:CreateSecurityGroup",
                    "ec2:CreateTags",
                    "sts:AssumeRole"
                ],
                "Resource": "*"
            }
        ]
    }

  • Click in Next and create it naming the policy as HoopAWSConnect

2

Create IAM User

Create the IAM user associated with the role created in the previous step to obtain the access key credentials.

  • Go to IAM > Users > Add user
  • Enter a user name, e.g., hoop-aws-connect
  • Select Attach policies directly
  • Search for the policy HoopAWSConnect created in first step
  • After creating the user, select the user and go to the Security credentials tab
  • Click on Create access key
  • Select the option Third-party service
  • Add the description as Hoop AWS Connect
  • Click on Create access key
  • Copy the Access key ID and Secret access key to use in the next step

If you want to use the instance role instead of IAM credentials, skip this step. You will find instructions below on how to configure the instance role.

These steps should be sufficient to begin the provisioning process in your main account.

Multi Account Setup

For multi-account setup, you can configure your IAM user or instance role to access resources across different accounts.

Invite your AWS Account

To allow Hoop to access your AWS account, you need to invite it to your AWS Organization. The list of AWS accounts will be displayed in the integration configuration page, and you can select the accounts you want to provision roles for.

1

Invite AWS Account

  • Login to your main account
  • Go to AWS Organizations > AWS Accounts > Invite an Existent AWS Account
  • Enter the email address or the account id to invite this account
2

Accept the Invitation

  • Login to the invited account
  • Go to AWS Organizations > AWS Accounts > Invitations
  • Accept the invitation from your main account

Policy and Role Creation

To allow Hoop to access your AWS account, you need to create a policy and a role in each AWS account that you want to allow Hoop to access. The policy grants the necessary permissions to the role, which is then assumed by Hoop to perform actions on your behalf.

1

Create IAM Policy

The policy HoopAWSConnect must be created in your AWS account.

  • Go to IAM > Policy > Create Policy

  • Switch the Policy Editor to JSON and paste the policy below

        {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "rds:DescribeDBInstances",
                    "rds:ModifyDBInstance",
                    "rds:ModifyDBCluster",
                    "ec2:DescribeSecurityGroups",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:CreateTags",
                    "ec2:CreateSecurityGroup"
                ],
                "Resource": "*"
            }
        ]
    }

  • Click in Next and create it naming the policy as HoopAWSConnect

2

Create IAM Role

This step will grant the necessary permissions to assume the role in your main account

Create the role that will use the policy created in the previous step.

  • Go to IAM > Roles > Create Role
  • In Trusted entity type, select AWS Account
  • In the input below, select Another AWS Account
  • Add the account ID of your main account
  • Select the Policy HoopAWSConnect created in the previous step
  • Name the role as HoopOrganizationAccountAccessRole

It’s important to name the policy as HoopOrganizationAccountAccessRole because the name is hard-coded in the integration. In future releases, we may allow users to provide a custom role name.

Instance Role

To use the instance role of the Hoop Gateway, you need to configure the environment variable:

  • INTEGRATION_AWS_INSTANCE_ROLE_ALLOW=true

This allows the integration to use the instance role of the Hoop Gateway to access AWS resources.

Make sure to create an IAM role in the account that you’re hosting the Hoop Gateway and associate with the policy HoopAWSConnect. See the step above to create the IAM role.

Web Interface

The web interface allows you to configure the AWS Connect integration and manage the provisioning of database roles. It will list the available AWS accounts and the databases that can be provisioned.

Access Key Credentials

Instance Role

Agent Deployment

The agent connects to your underlying infrastructure to provision and access your databases. Before proceeding, make sure to provision an agent for every private network in which your database is running.

If you have connectivity with all databases from a single machine, you could deploy the agent in this network to gain access to all databases using a single agent.

Read more about agents

Supported Engines

  • Postgres / Aurora
  • MySQL / Aurora
  • SQL Server

Security Group Management

The gateway automatically creates and associates a dedicated security group to enable secure connectivity between the gateway and your agent. This security group is configured with the following properties:

  • Resource Name: hoop-aws-connect-sg-<db-instance-identifier>
  • Tag: hoop.dev/gateway=<api-hostname>

You have the option to manage these security groups directly to customize connectivity settings as needed.

Roles and Connection Management

The provisioner will reset the master database credentials using a random password. The user and password are stored in Hoop’s database. Subsequent requests for provisioning roles reuse the master credentials stored in Hoop.

The provisioner will create three static user roles for all existing databases depending on the engine:

  • hoop_ro
  • hoop_rw
  • hoop_ddl

If you run the process multiple times, some database users might be removed and recreated. The default behavior is to provision the role if it doesn’t exist and change the password if the role already exists.

In the final step of the provisioning process, it creates connections with the credentials of each role. Three connections are provisioned as the outcome:

  • <connection-name-prefix>-ro
  • <connection-name-prefix>-rw
  • <connection-name-prefix>-ddl

The database user roles permissions are static and described below:

ENGINEREAD ONLYREAD WRITEDDL
PostgresSELECTSELECT, INSERT, UPDATE, DELETESELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER
MySQLSELECTSELECT, INSERT, UPDATE, DELETESELECT, INSERT, UPDATE, DELETE, ALTER, CREATE, DROP
SQL Serverdb_datareaderdb_datareader, db_datawriterdb_datareader, db_datawriter, db_ddladmin

Webhooks (Svix)

In the final step of the job, you can send webhooks to an external system for integration purposes. The webhook provider must be configured to send the message properly. More information could be found here. The payload structure matches the endpoint GET /api/dbroles/:id.

In the final step of the job it’s possible to send Webhooks to an external system for integration purporses. The Webhook provider must be configured to send the message properly. The payload is the same structure of the endpoint GET /api/dbroles/:id.

{
    "event_type": "dbroles.job.finished",
    "event_payload": {}
}

Refer to our API Reference for more details about the structure of the event_payload attribute.

Runbook Hook

This feature is available in version 1.35.7+.

As an alternative to using a Webhook Provider, you can execute a Python script in the final step of the job. This functionality enables easier integration with any internal workflow by leveraging Hoop as a hook system for your process.

Requirements for running this hook:

  • The Runbook must be enabled with a git repository
  • The specific file path hoop-hooks/aws-connect-post-exec.runbook.py must exist in your git repository to trigger the hook
  • Note: Output content (stdout, stderr) is limited to 4096 bytes

Use the script below to print both the request and response objects.

Runbook Inputs

The request and response objects are available as environment variables in JSON

Example of how to parse it in python as a dictionary:

import json, os

requestJson = os.getenv('HOOP_AWS_CONNECT_REQUEST')
responseJson = os.getenv('HOOP_AWS_CONNECT_RESPONSE')

request = json.loads(requestJson)
response = json.loads(responseJson)

print('request db arn: ', request['resource_id'])
print('response status: ', response['status'])

Be careful when printing any sensitive information. The content will be available for inspection in the API for adminstrator users.

Vault Secrets Manager

This integration enables you to delegate the management of secrets to HashiCorp Vault, a robust secrets management solution. When enabled, all provisioned roles are securely stored in Vault.

For deployments with connection provisioning enabled, the integration automatically adds the necessary reference secrets provider and secret ID.

For this integration to function properly, the agent must be configured with the correct Vault credentials. For detailed configuration instructions, please refer to the Vault secrets manager documentation.