SAML Federated user to PSQL/MySQL with IAM Authentication and segregated permissions

[Gunslito]

Hello,

I would like to ask you a question. I've been looking at documentation on how to set this up, but in the federation, SSO, and IAM Authentication part, I couldn't find the exact process.

I'm using Cloudbeaver AWS Edition, and I'm specifically connecting to a PostgreSQL database.

In the database, I'm using IAM Authentication, and I want to use AWS SAML federation to connect the federated user with the database user of the same name, and prevent them from connecting with a user of a different name.

For example:

gunslito@example.com is federated through AWS IAM Identity Center to Cloudbeaver, connecting to the db-psql-1 as the user gunslito@example.com. The role/permission set/etc. should not allow the user gunslito@example.com to connect with a different user.

How can I achieve this?

An IAM/role/user policy or permission set would be very helpful on the documentation.

[EvgeniaBzzz]

Hi @Gunslito
Unfortunately, we don't have a ready solution for implementing this restriction. Perhaps there is a similar setup available on the SAML/Postgre side.
Here you can find info how to set SAML roles in CloudBeaver.

[Gunslito]

I have this configured and I can indeed connect via AWS SSO to Cloudbeaver without problems.
I want to use those credentials or maybe the proxy user to dinamically give permissions to only the user of the same name on the db (mysql or psql). So that's not possible with this? Only with IAM Authentication?

[LonwoLonwo]

Hello @Gunslito

Looks like we do not have an answer for you. We do not see options how we can do it from CloudBeaver side.
Did you try to ask AWS support? https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html

[Gunslito]

Yes, I tried! Thanks for the help anyway, have a nice day people!