Docs

Access requirements and permissions

Suggest Edits

Access requirements and permissions

Before using Cast AI DB Optimizer (DBO), you must ensure proper access permissions are configured for your cloud database provider. This page outlines the necessary permissions and configurations.

AWS permissions

When connecting your AWS RDS instances to Cast AI, you must grant permissions through a cross-account IAM role. This role allows Cast AI to access necessary metrics and information while maintaining security best practices.

Required AWS-managed policies

The following AWS-managed policies must be attached to the IAM role:

Custom policy for Performance Insights

When accessing Performance Insights APIs, Cast AI requires permission to decrypt the data using the kms:Decrypt action. Add the following custom policy to your IAM role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "kms:Decrypt",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Trust relationship configuration

The IAM role must have a trust relationship that allows Cast AI to assume it. Configure the following trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::891377030120:user/dbo-poller-prod"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Verifying permissions

You can verify your IAM role configuration using the AWS Management Console or AWS CLI.

Using AWS Management Console

Verify the attached policies:
  1. Open the IAM console
  2. Navigate to Roles and select your Cast AI role

  1. In the Permissions tab, verify these policies are listed:

    • AmazonRDSPerformanceInsightsReadOnly
    • AmazonRDSReadOnlyAccess
    • Your custom KMS Decrypt policy

Verify trust relationship:
  1. Stay in your role's details
  2. Select the Trust relationships tab
  3. Confirm the trust policy includes the Cast AI principal:
"AWS": "arn:aws:iam::891377030120:user/dbo-poller-prod"

Using AWS CLI

  1. Check the attached policies: 
    aws iam list-attached-role-policies --role-name <your-role-name>
aws iam list-role-policies --role-name <your-role-name>
  2. Verify trust relationship: 
    aws iam get-role --role-name <your-role-name>
    Look for the AssumeRolePolicyDocument in the output to confirm the trust relationship.

📘

Note

These permissions are read-only and do not allow Cast AI to modify your database configurations or access the actual data within your databases.

For more information about setting up DB Optimizer, see our Quick start guide.

Updated 2 days ago