In some configurations the oracle user may be used as Grid Home owner.
In such configurations, if the oracle user has a need to run AWS CLI (e.g. use AWS Secrets Manager for Oracle Secure Backup) then the oracle user must be granted sudo permissions for running AWS CLI.
This article provides a sample implementation of this with a custom sudoers file.
Create sudoers file
Create a file in /etc/sudoers.d
, e.g.: /etc/sudoers.d/80-oracle-aws
with the following content:
oracle ALL=(<user_to_run_the_aws_cli_command>) NOPASSWD: /bin/aws
For example, the code below will allow the oracle user to run AWS CLI as the user myuser:
oracle ALL=(myuser) NOPASSWD: /bin/aws
Sample call:
[oracle@rac1 ~]$ sudo -u myuser aws secretsmanager get-secret-value --secret-id fg/test/secret --region us-east-1
{
"ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:fg/test/secret-sJRWCi",
"Name": "fg/test/secret",
"VersionId": "3c57ed07-70d3-471e-946a-96bb6a113a65",
"SecretString": "{\"db_user\":\"secret_user\",\"db_password\":\"secret_password\"}",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": 1603361964.779
}
It is also possible to restrict sudo calls only to a subset of AWS CLI commands. For example, to allow only AWS Secrets Manager calls, use the following sudoers file:
oracle ALL=(myuser) NOPASSWD: /bin/aws secretsmanager *