Setting up Least Privilege Database User for Datahub with EKS and Amazon RDS

Original Slack Thread

Hello, our team has set up Datahub using EKS and an Amazon RDS database. We’re getting close to production, and have just been using the encrypted RDS root user/password in the helm charts. Everything has been working well. We wanted to scale this back so we could have a least privilege DB user and would like to guide our DBA to create a secondary account. Any idea on what access we could give?

<@UV5UEC3LN> might be able to speak to this!

Do you mean for the master account (used in created initial DB and schema) or for the GMS account (used in read/write to the created table)? The master account needs essentially root permissions to create the new Database, but the GMS account only needs read/write for the metadata tables we generate in the SQL Setup script.

<@UV5UEC3LN> We are using an RDS database so the DB itself is already created. We don’t want to use the master account from the RDS database in our helm for security/least priviledge reasons. We’d like to make the privs as skinny as possible without just making another super user account.

If you already have the DB created then the user needed for GMS can be limited to read/write access on that database. It doesn’t need to be root/super user