After you enable the secure access proxy feature for a database instance, you can grant specific users access to the instance through its proxy endpoints. Each authorized user receives a dedicated AccessKey pair for identity authentication, so you can manage access and rotate credentials independently for each user.
Prerequisites
Before you begin, ensure that you have:
Enabled the secure access proxy feature for the database instance. For more information, see Enable the secure access proxy feature.
One of the following roles: DMS administrator, database administrator (DBA), or owner of the database instance. To check your role, see View system roles and View resource roles.
Authorize a user
Log on to the DMS console V5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
Move the pointer over the
icon in the upper-left corner and choose All functions > Security and Specifications > Secure Access Proxy > Proxy List.NoteIf you use the DMS console in normal mode, choose Security and Specifications > Secure Access Proxy > Proxy List in the top navigation bar.
On the Created tab, find the database instance and click Details in the Operation column. The Secure Access Proxy/Details page appears.
Click Authorize.
In the Secure Access Proxy - Authorize dialog box, configure the following parameters and click OK.
Parameter Description Authorize User The user to authorize. Only one user can be selected at a time. Use Custom Database Account The database account used to access the instance. By default, the account that was used to enable the secure access proxy feature is used. If you select No, the database account that is used to enable the secure access proxy feature is used to access the database instance. If you select Yes, you must enter the custom database account and password used to access the database instance. Security Policy The policy that controls AccessKey pair expiry and rotation. See Choose a security policy below.
Choose a security policy
Select the policy that matches your access management requirements:
System Security Policy: DMS does not automatically update the AccessKey pair. Use this option when you manage credential rotation outside of DMS or when long-lived access with no expiry is acceptable.
Regularly Update AccessKey Pair: DMS automatically updates the AccessKey pair at the interval you specify in the Update Interval parameter. Use this option to enforce periodic credential rotation for ongoing access.
WarningAfter the AccessKey pair is updated, the previous pair becomes invalid. Applications using the old credentials will lose access to the database instance.
Authentication Expires at Specific Time: The AccessKey pair expires at the time you specify in the Expire At parameter. Use this option for temporary access with a defined end date.
After the authorization succeeds, the user receives an AccessKey pair consisting of:
AccessID: identifies the authorized user.
AccessSecret: verifies the user's identity. Keep this value confidential.
The user must present this AccessKey pair for identity authentication each time they connect to the database instance through a proxy endpoint.
As an alternative to direct authorization, you can approve a ticket submitted by the user. For more information, see Approve tickets.
Manage authorized users
On the Secure Access Proxy/Details page, you can perform the following operations on authorized users:
| Operation | Steps |
|---|---|
| View the AccessKey pair | Click View. |
| Update the AccessKey pair | Click Update to generate a new AccessKey pair. After the AccessKey pair is updated, the previous pair becomes invalid. |
| Revoke access | Click Recycling or Release. The user can no longer connect to the proxy endpoints of the database instance. |
If you are a regular user who is the owner of the secure access proxy for the database instance, you cannot update the AccessKey secrets of other authorized users or revoke their permissions.