OtterTune Homepage ➪
Search
⌃K
Links

Guarded Public Access

External Actor Access

Important This only allows access to actors approved in your security group policies, not all public actors. We will configure the security group policy in the next section.
Modify your database instance to be publicly accessible by approved actors:
  1. 1.
    Navigate to the AWS RDS Console and select the database instance.
  2. 2.
    Select Modify.
  3. 3.
    Scroll down to the Connectivity section and reveal Additional configuration.
  4. 4.
    Select Publicly accessible.
  5. 5.
    Scroll down to the bottom of the page and select Continue.
  6. 6.
    Select Apply immediately.
  7. 7.
    Select Modify DB instance.

Security Group Access

Modify your database instance's security group to allow OtterTune traffic:
  1. 1.
    Navigate to the AWS RDS Console and select the database instance.
  2. 2.
    Select the Connectivity & security tab.
  3. 3.
    Select the hyperlink under VPC security groups.
  4. 4.
    Select Actions -> Edit inbound rules.
  5. 5.
    Select Add rule.
  6. 6.
    Input the following information:
    1. 1.
      Type: MySQL/Aurora or PostgreSQL
    2. 2.
      Source: Custom
    3. 3.
      [OtterTune's Elastic IP address]: 3.18.139.24/32
    4. 4.
      Description: Elastic IP for OtterTune
  7. 7.
    Select Save rules.

Database Authentication

Choose a method for OtterTune to authenticate your database.

Method #1: AWS IAM Database Authentication

Modify your database instance to enable AWS IAM database authentication:
  1. 1.
    Navigate to the AWS RDS Console and select the database instance.
  2. 2.
    Select Modify.
  3. 3.
    Scroll down to the Database authentication section and select Password and IAM database authentication.
  4. 4.
    Scroll down to the bottom of the page and select Continue.
  5. 5.
    Select Apply immediately.
  6. 6.
    Select Modify DB instance.

Create the database user and grant permissions:

Note that the database username should start with ottertune, otherwise we will not have permission to connect to your database.
MySQL
PostgreSQL
CREATE USER 'ottertune' IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';
GRANT PROCESS ON *.* TO 'ottertune';
GRANT SHOW VIEW ON *.* TO 'ottertune';
GRANT REPLICATION CLIENT ON *.* TO 'ottertune';
GRANT SELECT ON performance_schema.events_statements_summary_by_digest TO 'ottertune';
-- if mysql version >= 8.0
GRANT SELECT ON performance_schema.events_statements_histogram_global TO 'ottertune';
CREATE USER ottertune;
GRANT rds_iam TO ottertune;
GRANT pg_monitor TO ottertune;
Important For PostgreSQL, entering a database username without quotes is case-insensitive. To make it case-sensitive, you can wrap it in quotes. For example:
create user ottertuneUser;
will result in the username ottertuneuser, whereas
create user 'ottertuneUser';
will result in the usernameottertuneUser.

Enter the Database Username into the OtterTune form and select Finish:

Method #2: Database Password Authentication

Create the database user and grant permissions:

MySQL
PostgreSQL
CREATE USER 'ottertune' IDENTIFIED BY '<password>';
GRANT PROCESS ON *.* TO 'ottertune';
GRANT SHOW VIEW ON *.* TO 'ottertune';
GRANT REPLICATION CLIENT ON *.* TO 'ottertune';
GRANT SELECT ON performance_schema.events_statements_summary_by_digest TO 'ottertune';
-- if mysql version >= 8.0
GRANT SELECT ON performance_schema.events_statements_histogram_global TO 'ottertune';
CREATE USER ottertune WITH PASSWORD '<password>';
GRANT pg_monitor TO ottertune;
Important For PostgreSQL, entering a database username without quotes is case-insensitive. To make it case-sensitive, you can wrap it in quotes. For example:
create user ottertuneUser;
will result in the username ottertuneuser, whereas
create user 'ottertuneUser';
will result in the usernameottertuneUser.

Enter the Database Username and Database Password into the OtterTune form and select Finish:

Previous
Agent (recommended)
Next
Adding Additional AWS Accounts
Last modified 9mo ago