SSM access for DeepSQL support
When you deploy via CloudFormation with CreateSupportUser=Yes (the default), the stack creates an IAM user the DeepSQL support team can use to SSM into your instance.
What the support user can do
Section titled “What the support user can do”The IAM policy is scoped narrowly:
ssm:StartSessiononly on EC2 instances taggeddeepsql:managed=true, in the deploy regionssm:TerminateSession/ssm:ResumeSessiononly on the user’s own sessions- Read-only
ec2:DescribeInstancesandssm:DescribeInstanceInformationto find instances
That’s it. No EC2 modify, no IAM, no S3, no other regions.
Sharing access
Section titled “Sharing access”The access key is stored in AWS Secrets Manager — not output in plaintext, not in CloudFormation events.
Two ways to share:
Option A — grant the DeepSQL principal access to the secret (recommended)
Section titled “Option A — grant the DeepSQL principal access to the secret (recommended)”Best if the DeepSQL team has a known IAM principal in their AWS account:
aws secretsmanager put-resource-policy \ --region <region> \ --secret-id <SupportSecretArn> \ --resource-policy '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::<deepsql-account-id>:role/<deepsql-support-role>"}, "Action": "secretsmanager:GetSecretValue", "Resource": "*" }] }'DeepSQL fetches the secret on demand. Rotating the key is just rotating the secret.
Option B — fetch and share the value (less ideal)
Section titled “Option B — fetch and share the value (less ideal)”aws secretsmanager get-secret-value \ --region <region> \ --secret-id <SupportSecretArn> \ --query SecretString --output textOutput is JSON: {"AccessKeyId":"AKIA…","SecretAccessKey":"…","Region":"…","InstanceId":"i-…"}. Share securely (1Password, etc.) and rotate when no longer needed.
What the DeepSQL team does with it
Section titled “What the DeepSQL team does with it”# DeepSQL operator configures the support credentials as an AWS profileaws configure --profile deepsql-support
# Connectaws --profile deepsql-support ssm start-session \ --region <region> \ --target <instance-id>Sessions are logged by AWS — turn on CloudTrail for full audit if your org requires it.
Revoking access
Section titled “Revoking access”The cleanest way:
# Disable the access key (effective immediately)aws iam update-access-key \ --user-name deepsql-support \ --access-key-id <AccessKeyId> \ --status InactiveOr delete the support user from the stack by updating with CreateSupportUser=No:
aws cloudformation update-stack \ --stack-name deepsql-selfhost \ --region <region> \ --use-previous-template \ --parameters ParameterKey=CreateSupportUser,ParameterValue=No ... \ --capabilities CAPABILITY_NAMED_IAMWithout CloudFormation
Section titled “Without CloudFormation”If you installed manually (not via CloudFormation) and want to grant DeepSQL support access later, attach the same IAM policy to a user of your choice. The policy template is in cloudformation/deepsql-stack.yaml under the SupportUserPolicy resource — copy the PolicyDocument block.