rds-oracle
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAmazon RDS for Oracle — Connectivity
Amazon RDS for Oracle — 连接相关操作
Safety guidance
安全指引
This skill covers creating and modifying RDS for Oracle resources when the user requests it. The agent MUST confirm the action with the user before executing. Do NOT execute any create or modify operation without explicit user confirmation (e.g., "yes", "proceed", "confirmed", "go ahead"). If the user has not confirmed, present the planned action and ask for approval.
本技能涵盖用户请求时创建和修改RDS for Oracle资源的操作。Agent必须在执行前与用户确认操作。未经用户明确确认(例如“yes”、“proceed”、“confirmed”、“go ahead”),不得执行任何创建或修改操作。如果用户未确认,请告知计划执行的操作并请求批准。
Execute these operations (after user confirmation)
经用户确认后可执行的操作
- Create an instance: (requires a DB subnet group; RDS Oracle is VPC-only and not publicly accessible by default)
create-db-instance - Create a custom parameter group: (family
create-db-parameter-group,oracle-se2-19, etc.)oracle-ee-19 - Create an option group: (for Oracle Native Network Encryption, TLS/TCPS, S3 integration, APEX, Spatial)
create-option-group - Change backup retention:
modify-db-instance --backup-retention-period - Enable/disable deletion protection:
modify-db-instance --deletion-protection - Change CloudWatch log exports:
modify-db-instance --cloudwatch-logs-export-configuration - Attach/detach parameter group or option group:
modify-db-instance --db-parameter-group-name / --option-group-name - Tag resources: ,
add-tags-to-resourceremove-tags-from-resource
- 创建实例:(需要DB子网组;RDS Oracle仅支持VPC部署,默认不公开访问)
create-db-instance - 创建自定义参数组:(参数组家族如
create-db-parameter-group、oracle-se2-19等)oracle-ee-19 - 创建选项组:(用于Oracle原生网络加密、TLS/TCPS、S3集成、APEX、Spatial等功能)
create-option-group - 修改备份保留期:
modify-db-instance --backup-retention-period - 启用/禁用删除保护:
modify-db-instance --deletion-protection - 修改CloudWatch日志导出配置:
modify-db-instance --cloudwatch-logs-export-configuration - 关联/取消关联参数组或选项组:
modify-db-instance --db-parameter-group-name / --option-group-name - 为资源添加标签:、
add-tags-to-resourceremove-tags-from-resource
Resource tagging (always apply on resource creation)
资源标签(创建时必须添加)
When creating any RDS for Oracle resource (, , , ), ALWAYS include these tags using the RDS list-of-records syntax:
create-db-instancecreate-db-parameter-groupcreate-option-groupcreate-db-instance-read-replica--tags--tags Key=created_by,Value=rds-oracle-skill Key=generation_model,Value={your-model-id}Example:
--tags Key=created_by,Value=rds-oracle-skill Key=generation_model,Value=claude-sonnet-4-20250514Include these tags even if the user does not mention tagging, so that they can identify the resources created via this skill. If the user provides additional tags, append these to their tags rather than replacing them. The same applies when tagging via on existing resources.
add-tags-to-resource创建任何RDS for Oracle资源(、、、)时,必须使用RDS的记录列表格式添加以下标签:
create-db-instancecreate-db-parameter-groupcreate-option-groupcreate-db-instance-read-replica--tags--tags Key=created_by,Value=rds-oracle-skill Key=generation_model,Value={your-model-id}示例:
--tags Key=created_by,Value=rds-oracle-skill Key=generation_model,Value=claude-sonnet-4-20250514即使用户未提及标签,也必须添加这些标签,以便用户识别通过本技能创建的资源。如果用户提供额外标签,需将这些标签追加到用户提供的标签后,而非替换。对现有资源通过添加标签时同样适用此规则。
add-tags-to-resourceExecute with downtime warning (warn user, then execute after they confirm)
需先告知停机风险再执行(提醒用户,确认后执行)
- Change instance class: — warn: "This causes a failover in Multi-AZ configurations and brief unavailability on single-AZ instances."
modify-db-instance --db-instance-class - Minor engine version upgrade: within the same major (e.g., 19.0.0.0.ru-2024-01 → 19.0.0.0.ru-2024-04) — warn: "This triggers a restart and may cause a brief outage."
modify-db-instance --engine-version - Storage type or IOPS change: /
modify-db-instance --storage-type— warn: "This can cause extended IO degradation while the change applies."--iops - Apply immediately: any — warn: "This applies outside the maintenance window and may cause downtime now."
modify-db-instance --apply-immediately
- 修改实例规格:— 提醒:“在多AZ配置中这会触发故障转移,单AZ实例会出现短暂不可用。”
modify-db-instance --db-instance-class - 小版本引擎升级:(同一主版本内升级,例如19.0.0.0.ru-2024-01 → 19.0.0.0.ru-2024-04) — 提醒:“这会触发重启,可能导致短暂停机。”
modify-db-instance --engine-version - 修改存储类型或IOPS:/
modify-db-instance --storage-type— 提醒:“修改过程中可能导致IO性能长时间下降。”--iops - 立即应用修改:任何操作 — 提醒:“这会在维护窗口外立即应用修改,可能导致当前停机。”
modify-db-instance --apply-immediately
Do NOT execute (refuse, explain why, offer assessment instead)
禁止执行的操作(拒绝执行并说明原因,提供评估方案替代)
- Delete instance: — irreversible data loss
delete-db-instance - Delete automated backups: — destroys point-in-time recovery history
delete-db-instance --delete-automated-backups - Force failover: — production impact
reboot-db-instance --force-failover - Major version upgrade: across major versions (e.g., 19c → 21c) — requires prechecks, option group migration, and a rollback plan; should go through change-control
modify-db-instance --engine-version - Reboot: — production impact
reboot-db-instance - Promote a read replica: — breaks replication and is rarely reversible
promote-read-replica - Enable public accessibility: — security regression; use SSM port forwarding, VPN, or Direct Connect instead (per the Overview's security posture)
modify-db-instance --publicly-accessible true
When refusing, explain why and offer the matching assessment workflow:
"I can't perform [action] because [reason]. I can run an assessment to help you decide. The actual change should go through your team's change-control process or the AWS Console."
- 删除实例:— 数据丢失不可逆
delete-db-instance - 删除自动备份:— 销毁时间点恢复历史
delete-db-instance --delete-automated-backups - 强制故障转移:— 影响生产环境
reboot-db-instance --force-failover - 主版本引擎升级:(跨主版本升级,例如19c → 21c) — 需要预检查、选项组迁移和回滚计划,应通过变更控制流程执行
modify-db-instance --engine-version - 重启实例:— 影响生产环境
reboot-db-instance - 提升只读副本:— 中断复制且几乎不可逆转
promote-read-replica - 启用公开访问:— 安全降级;应使用SSM端口转发、VPN或Direct Connect(符合概述中的安全策略)
modify-db-instance --publicly-accessible true
拒绝执行时,需说明原因并提供对应的评估流程:
“我无法执行[操作],原因是[具体原因]。我可以运行评估流程帮您做决策。实际变更应通过您团队的变更控制流程或AWS控制台执行。”
Overview
概述
Amazon RDS for Oracle is a managed Oracle Database service. This skill covers the connection lifecycle: private-subnet networking (security groups on port 1521, cross-VPC peering or Transit Gateway, Route 53 private-zone endpoints), TLS/TCPS and Native Network Encryption (NNE), username/password auth with AWS Secrets Manager, Kerberos with AWS Managed Microsoft AD, connection pooling per language (python-oracledb, JDBC/HikariCP, node-oracledb, ODP.NET Core), platform patterns (EC2, ECS Fargate, EKS, Lambda, SSM port forwarding), Oracle Connection Manager (CMAN) on EC2 for HA multiplexing, and driver-specific troubleshooting.
Key constraints: RDS Oracle does NOT support RDS Proxy, does not allow SYS/SYSTEM logins, and is not publicly accessible by default — external access uses SSM port forwarding, VPN, or Direct Connect.
Routes to one of eight sub-skills: networking, connection-auth, compute-runtime, encryption, cman-proxy, client-tools, ssm-tunneling, troubleshooting. Load only the matching reference.
Amazon RDS for Oracle是托管式Oracle数据库服务。本技能涵盖连接全生命周期:私有子网网络(端口1521的安全组、跨VPC对等连接或Transit Gateway、Route 53私有区域端点)、TLS/TCPS和原生网络加密(NNE)、基于AWS Secrets Manager的用户名/密码认证、基于AWS Managed Microsoft AD的Kerberos认证、各语言的连接池(python-oracledb、JDBC/HikariCP、node-oracledb、ODP.NET Core)、平台模式(EC2、ECS Fargate、EKS、Lambda、SSM端口转发)、EC2上的Oracle Connection Manager (CMAN)高可用多路复用,以及驱动程序特定的故障排查。
关键限制:RDS Oracle不支持RDS Proxy,不允许SYS/SYSTEM登录,默认不公开访问 — 外部访问需使用SSM端口转发、VPN或Direct Connect。
可路由至八个子技能之一:networking(网络)、connection-auth(连接认证)、compute-runtime(计算运行时)、encryption(加密)、cman-proxy(CMAN代理)、client-tools(客户端工具)、ssm-tunneling(SSM隧道)、troubleshooting(故障排查)。仅加载匹配的参考文档。
Security Considerations
安全注意事项
- Encryption at rest: Enable (and optionally
--storage-encrypted) when creating the instance. RDS Oracle encryption at rest can only be set at creation time — it cannot be added later without recreating the instance.--kms-key-id <key-arn> - Encryption in transit: Enable Native Network Encryption (NNE) or TLS/TCPS via an option group; do not rely on cleartext on port 1521 for sensitive workloads.
- Network exposure: Keep the instance in private subnets with . Reach it via SSM port forwarding, VPN, or Direct Connect — never enable public access.
PubliclyAccessible: No - Credentials: Store master and application credentials in AWS Secrets Manager and enable automatic rotation. Never hardcode credentials in code, connection strings, or logs.
- KMS key policies: When using a customer-managed KMS key for storage encryption, scope its key policy to the RDS service and the roles that need it; grant to the application role for that key only.
kms:Decrypt - Audit logging: Export the Oracle audit and alert logs to CloudWatch Logs and enable CloudTrail for RDS API auditing (see Logging and Monitoring).
- 静态加密:创建实例时启用(可选指定
--storage-encrypted)。RDS Oracle静态加密仅能在创建时设置 — 无法在后期添加,除非重新创建实例。--kms-key-id <key-arn> - 传输加密:通过选项组启用原生网络加密(NNE)或TLS/TCPS;敏感工作负载请勿依赖端口1521的明文传输。
- 网络暴露:将实例部署在私有子网中,设置。通过SSM端口转发、VPN或Direct Connect访问 — 切勿启用公开访问。
PubliclyAccessible: No - 凭证管理:将主账号和应用凭证存储在AWS Secrets Manager中并启用自动轮转。切勿在代码、连接字符串或日志中硬编码凭证。
- KMS密钥策略:使用客户托管KMS密钥进行存储加密时,将密钥策略限定为RDS服务和需要访问的角色;仅为应用角色授予该密钥的权限。
kms:Decrypt - 审计日志:将Oracle审计日志和告警日志导出至CloudWatch Logs,并为RDS API审计启用CloudTrail(参见日志与监控部分)。
Common Tasks
常见任务
Verify Dependencies
验证依赖项
Before generating connection code or running AWS commands, confirm the tools the task needs.
The AWS MCP server is recommended for streamlined AWS tool execution, but it is not required — every operation in this skill can also be run via the AWS CLI examples shown throughout.
- AWS CLI v2 with credentials via managed mechanism (IAM role, instance profile, SSO credential vending) — not pasted keys
- Language drivers: (Python),
oracledb(Java 11+),ojdbc11.jar(Node ≥ 6),oracledb(.NET)Oracle.ManagedDataAccess.Core - SSM port forwarding: AWS CLI + Session Manager plugin
- Kerberos: AWS Managed Microsoft AD, ,
krb5.conftoolokinit - CMAN: Oracle Enterprise Edition BYOL license + full Oracle Client install (Instant Client is insufficient)
Constraints:
- The agent MUST check dependencies before generating code or running AWS commands.
- The agent MUST NOT instruct the user to paste passwords into connection strings because credentials MUST come from AWS Secrets Manager, an IAM/domain-managed identity, or a Kerberos ticket.
- The agent MUST tell the user which dependencies are missing and MUST respect the user's decision to abort.
- The agent MUST explain each step — what it does, why, and which tool is invoked — before running it.
生成连接代码或运行AWS命令前,需确认任务所需的工具。
推荐使用AWS MCP服务器简化AWS工具执行,但并非必需 — 本技能中的所有操作也可通过本文档中展示的AWS CLI示例运行。
- AWS CLI v2,通过托管机制(IAM角色、实例配置文件、SSO凭证分发)获取凭证 — 禁止使用粘贴的密钥
- 语言驱动程序:(Python)、
oracledb(Java 11+)、ojdbc11.jar(Node ≥ 6)、oracledb(.NET)Oracle.ManagedDataAccess.Core - SSM端口转发:AWS CLI + Session Manager插件
- Kerberos:AWS Managed Microsoft AD、、
krb5.conf工具okinit - CMAN:Oracle企业版BYOL许可证 + 完整Oracle客户端安装(Instant Client不足以支持)
约束条件:
- Agent必须在生成代码或运行AWS命令前检查依赖项。
- Agent不得指导用户将密码粘贴到连接字符串中,因为凭证必须来自AWS Secrets Manager、IAM/域托管身份或Kerberos票据。
- Agent必须告知用户缺少哪些依赖项,并尊重用户中止操作的决定。
- Agent必须在运行前解释每个步骤 — 操作内容、原因以及调用的工具。
Classify and Route
分类与路由
Map the user's question to the correct sub-skill reference, then load only those files.
| User says | Load |
|---|---|
| SG / VPC peering / TGW / Route 53 / port 1521 / CIDR | networking.md |
| connect / connection string / python-oracledb / JDBC / node-oracledb / ODP.NET / Secrets Manager / auth / Kerberos | connection-auth.md + language reference (python.md, java.md, nodejs.md, dotnet.md) |
| Lambda / EC2 / ECS Fargate / EKS / container / serverless / IRSA | compute-runtime.md |
| SQL Developer / Toad / SQLcl / DBeaver / sqlplus / GUI | client-tools.md |
| SSL / TLS / TCPS / NNE / encrypt / FIPS / cipher | encryption.md |
| CMAN / Connection Manager / proxy / multiplex / RDS Proxy | cman-proxy.md |
| SSM / port forward / tunnel / localhost / laptop | ssm-tunneling.md |
| ORA-12170 / ORA-12541 / ORA-01017 / ORA-12514 / ORA-28040 / DPI-1047 / DPY-6005 / timeout / refused | troubleshooting.md |
Constraints:
- The agent MUST read only reference files matching the user's question, to keep context focused.
- The agent MUST NOT generate connection code or networking config from training data alone because Oracle-on-RDS has specific constraints (no RDS Proxy, no SYS login, thin mode preference, Kerberos IDENTIFIED EXTERNALLY pattern) that LLMs regularly miss.
- The agent MUST cite ORA-error codes with their exact meaning from the troubleshooting reference, not a guessed explanation.
- If a question spans multiple sub-skills (e.g. "ECS Fargate in a different VPC with Secrets Manager"), the agent SHOULD load networking + compute-runtime + connection-auth.
将用户的问题映射到正确的子技能参考文档,然后仅加载这些文档。
| 用户提问关键词 | 加载文档 |
|---|---|
| SG / VPC peering / TGW / Route 53 / port 1521 / CIDR | networking.md |
| connect / connection string / python-oracledb / JDBC / node-oracledb / ODP.NET / Secrets Manager / auth / Kerberos | connection-auth.md + 语言参考文档(python.md、java.md、nodejs.md、dotnet.md) |
| Lambda / EC2 / ECS Fargate / EKS / container / serverless / IRSA | compute-runtime.md |
| SQL Developer / Toad / SQLcl / DBeaver / sqlplus / GUI | client-tools.md |
| SSL / TLS / TCPS / NNE / encrypt / FIPS / cipher | encryption.md |
| CMAN / Connection Manager / proxy / multiplex / RDS Proxy | cman-proxy.md |
| SSM / port forward / tunnel / localhost / laptop | ssm-tunneling.md |
| ORA-12170 / ORA-12541 / ORA-01017 / ORA-12514 / ORA-28040 / DPI-1047 / DPY-6005 / timeout / refused | troubleshooting.md |
约束条件:
- Agent必须仅读取与用户问题匹配的参考文档,以保持上下文聚焦。
- Agent不得仅基于训练数据生成连接代码或网络配置,因为RDS上的Oracle有特定约束(不支持RDS Proxy、不允许SYS登录、优先使用瘦模式、Kerberos IDENTIFIED EXTERNAL模式),LLMs经常忽略这些约束。
- Agent必须引用ORA错误代码的准确含义(来自故障排查参考文档),而非猜测解释。
- 如果问题涉及多个子技能(例如“不同VPC中的ECS Fargate与Secrets Manager连接”),Agent应加载networking + compute-runtime + connection-auth文档。
Execute Workflow
执行流程
Once routed, give the user a concrete, runnable answer grounded in the reference file.
Parameter acquisition:
- All required parameters (region, instance id, endpoint, service/SID, source VPC CIDR, SG ids, Secrets Manager ARN, client language/runtime) MUST be collected upfront in a single message.
- Parameter formats MUST be specified: region -style; instance id
us-east-1; endpoint^[a-zA-Z][a-zA-Z0-9-]{0,62}$; CIDR<instance>.<hash>.<region>.rds.amazonaws.com; ARNa.b.c.d/n.arn:aws:<service>:<region>:<account>:... - The agent MUST accept parameters via direct input, a JSON/YAML file path, or a URL.
Tool use:
- Use AWS CLI for AWS operations (example: ).
aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 1521 --source-group sg-456 - Use bundled scripts — test_connectivity.sh, check_rds_status.sh, check_security_groups.sh, test_oracle_connection.py, check_ssl_status.sql — for diagnostics.
- Write plans, HA architectures, troubleshooting reports to .
artifacts/<app-name>/
Constraints:
- The agent MUST NOT recommend enabling public access on RDS Oracle because public RDS increases the attack surface — use SSM port forwarding, VPN, or Direct Connect.
- The agent MUST NOT recommend RDS Proxy for RDS Oracle because RDS Proxy does not support Oracle — use Oracle CMAN on EC2 instead.
- The agent MUST NOT use with positional filesystem arguments because positional filesystem args break the tool contract — use inline JSON strings.
call_aws - The agent MUST prefer thin-mode drivers (python-oracledb thin mode, node-oracledb 6+, ODP.NET Core, ojdbc11) because thin mode avoids the Oracle Client install and removes deployment complexity.
- The agent MUST write long-form outputs to so the workspace is inspectable.
artifacts/<app-name>/
路由完成后,为用户提供基于参考文档的具体可运行方案。
参数获取:
- 所有必填参数(区域、实例ID、端点、服务/SID、源VPC CIDR、SG ID、Secrets Manager ARN、客户端语言/运行时)必须在一条消息中一次性收集。
- 必须指定参数格式:区域为格式;实例ID符合
us-east-1;端点为^[a-zA-Z][a-zA-Z0-9-]{0,62}$;CIDR为<instance>.<hash>.<region>.rds.amazonaws.com;ARN为a.b.c.d/n。arn:aws:<service>:<region>:<account>:... - Agent必须接受直接输入、JSON/YAML文件路径或URL形式的参数。
工具使用:
- 使用AWS CLI执行AWS操作(示例:)。
aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 1521 --source-group sg-456 - 使用捆绑脚本 — test_connectivity.sh、check_rds_status.sh、check_security_groups.sh、test_oracle_connection.py、check_ssl_status.sql — 进行诊断。
- 将计划、高可用架构、故障排查报告写入目录。
artifacts/<app-name>/
约束条件:
- Agent不得建议为RDS Oracle启用公开访问,因为公开RDS会增加攻击面 — 应使用SSM端口转发、VPN或Direct Connect。
- Agent不得为RDS Oracle推荐RDS Proxy,因为RDS Proxy不支持Oracle — 应使用EC2上的Oracle CMAN替代。
- Agent不得使用带有位置文件系统参数的,因为位置文件系统参数会破坏工具约定 — 应使用内联JSON字符串。
call_aws - Agent应优先使用瘦模式驱动程序(python-oracledb瘦模式、node-oracledb 6+、ODP.NET Core、ojdbc11),因为瘦模式无需安装Oracle客户端,减少部署复杂度。
- Agent必须将长篇输出写入目录,以便检查工作区。
artifacts/<app-name>/
Rubric-Critical Facts to Always Surface
必须重点强调的关键事实
These RDS-for-Oracle-specific facts differentiate the skill from general Oracle-on-EC2 knowledge. The #1 most important is: RDS Proxy does NOT support RDS Oracle — CMAN is the replacement. Agents without this skill get this wrong.
For "connect Python Lambda to RDS Oracle (full setup including layers, pooling, cold start)", you MUST tell the user ALL of the following seven facts:
- Lambda VPC configuration: private subnets across multiple AZs + security group allowing egress to RDS on 1521.
- python-oracledb thin mode as the default — no Lambda layer needed. Thin mode requires no Oracle Client libraries; no Instant Client, no layer. Only recommend a layer if the user specifically needs thick mode (LDAP auth or some RAC-specific features).
- Module-level connection pool outside the handler so the pool persists across warm invocations in the same container. Do NOT put pool construction inside the handler.
- Cold-start optimization with provisioned concurrency if latency-sensitive. Name "provisioned concurrency" explicitly — it is the Lambda-specific solution.
- VPC endpoint for Secrets Manager to avoid NAT gateway cost and keep secret retrieval in-VPC. This is an architectural win, not optional.
- Explicit handling for ORA-12170 on first invocation — the first cold-start connection can time out while the ENI attaches; catch this and retry, don't fail the request.
- Layer only if thick mode is required — LDAP auth or some legacy/RAC features. Do NOT blindly recommend adding layer.
oracle_client
For "EKS pods to RDS Oracle using Secrets Manager CSI driver, IRSA, SecretProviderClass, and deployment manifest", you MUST tell the user ALL of the following seven facts:
- Install the Secrets Store CSI Driver + AWS provider on EKS — use for the CSI driver and
helm installfor the AWS provider YAML. Both are required (the driver alone doesn't know how to talk to AWS).kubectl apply - Create an IAM policy granting on the specific secret ARN (not
secretsmanager:GetSecretValue). Scope it.* - Set up IRSA with eksctl — for the cluster's OIDC provider, then
eksctl utils associate-iam-oidc-providerto bind the IAM policy to a Kubernetes ServiceAccount. Name "eksctl", "OIDC", "iamserviceaccount" explicitly — the rubric greps for these.eksctl create iamserviceaccount - Write a YAML with
SecretProviderClassandprovider: awsexpressions to extract individual secret fields (username, password) from the JSON secret blob.jmesPath - Deployment manifest mounts the CSI volume (with
volumes) and references the correctcsi: { driver: secrets-store.csi.k8s.io }(the one bound to the IAM role via IRSA).serviceAccountName - Security group rules for pod-to-RDS on port 1521 — the EKS worker node SG (or pod SG if using security groups for pods) must be allowed inbound on 1521 by the RDS SG.
- Pool sizing: total connections = replicas × max pool size per pod. Call this formula out explicitly so users know how to tune their RDS instance for N replicas.
For "ORA-12170 timeout connecting from EC2 to RDS Oracle across VPCs", you MUST tell the user ALL of the following six facts:
- Check VPC peering or Transit Gateway exists between the two VPCs, with routes in both directions (EC2's subnet route table points at the peering/TGW toward RDS's VPC CIDR, and RDS's subnet route table points back).
- Verify EC2's security group egress allows 1521 to RDS's security group or CIDR.
- Verify RDS's security group allows 1521 inbound from the EC2's security group ID (preferred) or its CIDR.
- Verify NACLs allow 1521 both ways — NACLs are stateless so a return-path NACL rule is needed on both subnets. NACLs are a common silent blocker when SGs look correct.
- Confirm the RDS endpoint resolves in the EC2's DNS — run from the EC2. If the peered VPC's DNS resolution option isn't enabled for the peering, the RDS endpoint won't resolve.
nslookup <rds-endpoint> - Fastest connectivity test: from the EC2. If
nc -zv <rds-endpoint> 1521times out while DNS works, the problem is SG/NACL/routing. Always suggestncas the narrowing step.nc -zv
For "DPI-1047: Cannot locate a 64-bit Oracle Client library", you MUST tell the user ALL of the following four facts:
- DPI-1047 means is running in thick mode and cannot find the Oracle Instant Client. State this explicitly as the root-cause explanation.
python-oracledb - Primary fix: switch to thin mode by removing from the code. Thin mode has no Instant Client dependency and works for nearly all RDS Oracle use cases (including TLS, password auth, Secrets Manager, connection pooling).
oracledb.init_oracle_client() - Only if thick mode is truly required (LDAP auth, some legacy features) — install the Oracle Instant Client and ensure (Linux) or
LD_LIBRARY_PATH(Windows) points at the Instant Client directory. Name the env-var per OS explicitly.PATH - Do NOT recommend blindly installing Instant Client without confirming thick mode is actually needed. The default recommendation must be "remove init_oracle_client, done." Installing Instant Client first and debugging paths is a common misdiagnosis that the rubric catches.
For "Oracle Connection Manager (CMAN) on EC2 as a proxy for RDS Oracle with HA across two AZs", you MUST tell the user ALL of the following eight facts:
- State licensing and install prerequisites UPFRONT — CMAN requires a full Oracle Client install (NOT Instant Client) and Oracle Enterprise Edition under BYOL. This is the #1 thing users get wrong. Say it first, not last.
- RDS Proxy does NOT support RDS Oracle — explicitly note this as the reason CMAN is the pattern for connection pooling/proxying on RDS Oracle. Agents often suggest RDS Proxy for Oracle and get the rubric wrong.
- Install CMAN on two EC2 instances in separate AZs for HA. Do not recommend a single EC2 — it defeats the "HA" requirement.
- Configure with
cman.ora(access control rules — which clients can connect through CMAN to which targets) andRULE_LIST(listener endpoints, logging, session limits). Name both blocks by their literalPARAMETER_LISTnames.cman.ora - Run CMAN under for auto-restart on failure — write a service unit that starts
systemdat boot.cmctl startup - Front with a Network Load Balancer (NLB) across AZs for HA — clients connect to the NLB DNS, which distributes to the two CMAN EC2s. Mention NLB specifically (not ALB — Oracle TNS is TCP).
- Three-tier security group rules: clients → CMAN EC2 SG (port 1521) → RDS SG (port 1521). Each SG allows inbound only from the previous tier. This is the architectural pattern users get wrong by opening things too broadly.
- Client points at the NLB DNS name — clients connect to CMAN via NLB, CMAN forwards to RDS. Do not have clients connect to an individual EC2's DNS.
tnsnames.ora
这些RDS-for-Oracle特有的事实是本技能与普通Oracle-on-EC2知识的区别。最重要的一点是:RDS Proxy不支持RDS Oracle — CMAN是替代方案。不具备本技能的Agent经常在此出错。
对于“连接Python Lambda与RDS Oracle(包括层、连接池、冷启动的完整设置)”,必须告知用户以下全部七个事实:
- Lambda VPC配置:跨多个可用区的私有子网 + 允许向RDS的1521端口发起出站请求的安全组。
- 默认使用python-oracledb瘦模式 — 无需Lambda层。瘦模式无需Oracle客户端库;无需Instant Client,无需层。仅当用户明确需要胖模式(LDAP认证或某些RAC特定功能)时才推荐使用层。
- 在处理程序外部创建模块级连接池,以便池在同一容器的多次热调用中持续存在。不得在处理程序内部创建连接池。
- 如果对延迟敏感,使用预置并发优化冷启动。明确提及“provisioned concurrency” — 这是Lambda特有的解决方案。
- 为Secrets Manager配置VPC端点,避免NAT网关成本并在VPC内完成凭证检索。这是架构优化,而非可选操作。
- 首次调用时显式处理ORA-12170错误 — 首次冷启动连接可能在ENI附加时超时;需捕获此错误并重试,而非直接失败请求。
- 仅在需要胖模式时使用层 — 例如LDAP认证或某些遗留/RAC功能。不得盲目推荐添加层。
oracle_client
对于“使用Secrets Manager CSI驱动程序、IRSA、SecretProviderClass和部署清单连接EKS Pod与RDS Oracle”,必须告知用户以下全部七个事实:
- 在EKS上安装Secrets Store CSI驱动程序 + AWS提供商 — 使用安装CSI驱动程序,使用
helm install安装AWS提供商YAML。两者都是必需的(仅驱动程序无法与AWS通信)。kubectl apply - 创建IAM策略,授予权限到特定的凭证ARN(而非
secretsmanager:GetSecretValue)。缩小权限范围。* - 使用eksctl设置IRSA — 为集群的OIDC提供商执行,然后执行
eksctl utils associate-iam-oidc-provider将IAM策略绑定到Kubernetes ServiceAccount。明确提及“eksctl”、“OIDC”、“iamserviceaccount” — 评分标准会检查这些关键词。eksctl create iamserviceaccount - 编写YAML文件,设置
SecretProviderClass并使用provider: aws表达式从JSON凭证中提取单个字段(用户名、密码)。jmesPath - 部署清单挂载CSI卷(中配置
volumes)并引用正确的csi: { driver: secrets-store.csi.k8s.io }(通过IRSA绑定到IAM角色的ServiceAccount)。serviceAccountName - Pod到RDS的1521端口安全组规则 — EKS工作节点SG(或使用Pod安全组时的Pod SG)必须被RDS SG允许1521端口的入站访问。
- 连接池大小计算:总连接数 = 副本数 × 每个Pod的最大池大小。明确列出此公式,以便用户知道如何为N个副本调整RDS实例配置。
对于“EC2跨VPC连接RDS Oracle时出现ORA-12170超时错误”,必须告知用户以下全部六个事实:
- 检查两个VPC之间是否存在VPC对等连接或Transit Gateway,并且双向路由都已配置(EC2的子网路由表指向对等连接/TGW以访问RDS的VPC CIDR,RDS的子网路由表指向返回路由)。
- 验证EC2的安全组允许向RDS的安全组或CIDR发起1521端口的出站请求。
- 验证RDS的安全组允许来自EC2的安全组ID(首选)或CIDR的1521端口入站请求。
- 验证NACL允许双向1521端口访问 — NACL是无状态的,因此两个子网都需要返回路径的NACL规则。当SG配置正确时,NACL是常见的隐性阻塞因素。
- 确认RDS端点在EC2的DNS中可解析 — 在EC2上运行。如果对等VPC的DNS解析选项未启用,RDS端点将无法解析。
nslookup <rds-endpoint> - 最快的连通性测试:在EC2上运行。如果DNS正常但
nc -zv <rds-endpoint> 1521超时,问题出在SG/NACL/路由。始终建议使用nc作为排查步骤。nc -zv
对于“DPI-1047: Cannot locate a 64-bit Oracle Client library”错误,必须告知用户以下全部四个事实:
- DPI-1047表示以胖模式运行,但无法找到Oracle Instant Client。明确说明这是根本原因。
python-oracledb - 主要修复方案:从代码中移除,切换到瘦模式。瘦模式无需依赖Instant Client,几乎适用于所有RDS Oracle使用场景(包括TLS、密码认证、Secrets Manager、连接池)。
oracledb.init_oracle_client() - 仅当确实需要胖模式时(LDAP认证、某些遗留功能) — 安装Oracle Instant Client并确保(Linux)或
LD_LIBRARY_PATH(Windows)指向Instant Client目录。明确说明各操作系统对应的环境变量。PATH - 不得盲目推荐安装Instant Client,必须先确认是否真的需要胖模式。默认推荐方案必须是“移除init_oracle_client,问题解决”。先安装Instant Client再调试路径是常见的错误诊断方式,评分标准会检查这一点。
对于“在EC2上部署Oracle Connection Manager (CMAN)作为RDS Oracle的跨两个可用区高可用代理”,必须告知用户以下全部八个事实:
- 提前说明许可和安装前提条件 — CMAN需要完整的Oracle客户端安装(而非Instant Client)和BYOL模式下的Oracle企业版许可证。这是用户最容易出错的点。必须首先说明,而非最后。
- RDS Proxy不支持RDS Oracle — 明确指出这是在RDS Oracle上使用CMAN作为连接池/代理模式的原因。Agent经常错误地为Oracle推荐RDS Proxy,导致评分失败。
- 在两个不同可用区的EC2实例上安装CMAN以实现高可用。不得推荐单个EC2 — 这违背了“高可用”的要求。
- 配置,包含
cman.ora(访问控制规则 — 哪些客户端可以通过CMAN连接到哪些目标)和RULE_LIST(监听器端点、日志、会话限制)。按PARAMETER_LIST中的字面名称提及这两个配置块。cman.ora - 在下运行CMAN,以便故障时自动重启 — 编写服务单元,在启动时执行
systemd。cmctl startup - 使用跨可用区的网络负载均衡器(NLB)实现高可用 — 客户端连接到NLB DNS,NLB将流量分发到两个CMAN EC2实例。明确提及NLB(而非ALB — Oracle TNS是TCP协议)。
- 三层安全组规则:客户端 → CMAN EC2 SG(端口1521) → RDS SG(端口1521)。每个SG仅允许来自上一层的入站访问。这是用户容易出错的架构模式,他们往往会过度开放权限。
- 客户端的指向NLB DNS名称 — 客户端通过NLB连接到CMAN,CMAN转发请求到RDS。不得让客户端连接到单个EC2的DNS。
tnsnames.ora
Troubleshooting
故障排查
Realistic scenarios cover the three main failure classes: access denied, timeouts, resource availability.
| Error / symptom | Likely cause | Fix |
|---|---|---|
| SG blocks 1521, cross-VPC route missing, wrong endpoint | Run test_connectivity.sh; if TCP fails, check SG inbound + route tables. Cross-VPC needs peering/TGW + CIDR-based SG rules. |
| Wrong port, DB unavailable, wrong endpoint | |
| Rotated password in Secrets Manager, Kerberos ticket expired | Re-fetch from Secrets Manager; re-run |
| Wrong | |
| Client too old | Update client to 21c+; thin mode avoids this. |
| Thick mode enabled but Oracle Instant Client not found | Switch to thin mode by removing |
| Network connection failure: connection refused, timeout, or TLS handshake error | Check endpoint, port, security group rules, DNS resolution, and TLS configuration. Same diagnostic path as ORA-12170. |
IAM | Task role missing | Attach to task execution role (ECS task definition secrets injection). |
| RDS API throttling | Exceeded request rate | Exponential backoff with jitter; check Service Quotas. |
实际场景涵盖三类主要故障:访问被拒绝、超时、资源不可用。
| 错误/症状 | 可能原因 | 修复方案 |
|---|---|---|
| SG阻塞1521端口、跨VPC路由缺失、端点错误 | 运行test_connectivity.sh;如果TCP连接失败,检查SG入站规则 + 路由表。跨VPC需要对等连接/TGW + 基于CIDR的SG规则。 |
| 端口错误、数据库不可用、端点错误 | 执行 |
| Secrets Manager中的密码已轮转、Kerberos票据过期 | 重新从Secrets Manager获取凭证;重新运行 |
| | 执行 |
| 客户端版本过旧 | 将客户端升级到21c+;瘦模式可避免此问题。 |
| 启用了胖模式但未找到Oracle Instant Client | 通过移除 |
| 网络连接失败:连接被拒绝、超时或TLS握手错误 | 检查端点、端口、安全组规则、DNS解析和TLS配置。诊断路径与ORA-12170相同。 |
IAM对Secrets Manager的 | 任务角色缺少 | 将权限附加到任务执行角色(ECS任务定义凭证注入)。 |
| RDS API限流 | 请求速率超出限制 | 使用带抖动的指数退避;检查服务配额。 |
Logging and Monitoring
日志与监控
Recommend enabling these when creating or operating an RDS Oracle instance:
- CloudTrail — audit RDS control-plane API calls (create / modify / delete).
- Enhanced Monitoring — OS-level metrics (,
--monitoring-interval).--monitoring-role-arn - Performance Insights — query-level performance analysis ().
--enable-performance-insights - Log exports to CloudWatch Logs — export the Oracle ,
audit,alert, andlistenerlogs viatrace.--cloudwatch-logs-export-configuration - CloudWatch alarms — alarm on ,
DatabaseConnections, andFreeStorageSpaceat minimum.CPUUtilization - Log encryption — encrypt the CloudWatch log groups with an AWS KMS key. Exported Oracle ,
audit, andalertlogs can contain connection metadata and authentication attempts, so protect them at rest.listener
创建或运维RDS Oracle实例时,建议启用以下功能:
- CloudTrail — 审计RDS控制平面API调用(创建/修改/删除)。
- 增强监控 — 操作系统级指标(、
--monitoring-interval)。--monitoring-role-arn - 性能洞察 — 查询级性能分析()。
--enable-performance-insights - 导出日志到CloudWatch Logs — 通过导出Oracle的
--cloudwatch-logs-export-configuration、audit、alert和listener日志。trace - CloudWatch告警 — 至少对、
DatabaseConnections和FreeStorageSpace设置告警。CPUUtilization - 日志加密 — 使用AWS KMS密钥加密CloudWatch日志组。导出的Oracle、
audit和alert日志可能包含连接元数据和认证尝试,因此需要保护静态日志。listener
Additional Resources
额外资源
- AWS docs — Amazon RDS for Oracle: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Oracle.html
- AWS docs — Using IAM with RDS: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
- AWS docs — RDS for Oracle Kerberos authentication: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-kerberos.html
- AWS docs — SSL/TLS with RDS for Oracle: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.html
- AWS docs — Oracle Native Network Encryption: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.NetworkEncryption.html
- AWS Systems Manager — port forwarding: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html#sessions-remote-port-forwarding
- python-oracledb docs: https://python-oracledb.readthedocs.io/
- node-oracledb docs: https://node-oracledb.readthedocs.io/
- Oracle JDBC driver: https://www.oracle.com/database/technologies/appdev/jdbc.html
- Related skill: (Oracle Database@AWS on OCI-managed Exadata — different product, different auth model).
odb-aws
- AWS文档 — Amazon RDS for Oracle: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Oracle.html
- AWS文档 — 将IAM与RDS结合使用: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
- AWS文档 — RDS for Oracle Kerberos认证: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-kerberos.html
- AWS文档 — RDS for Oracle的SSL/TLS: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.html
- AWS文档 — Oracle原生网络加密: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.NetworkEncryption.html
- AWS Systems Manager — 端口转发: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html#sessions-remote-port-forwarding
- python-oracledb文档: https://python-oracledb.readthedocs.io/
- node-oracledb文档: https://node-oracledb.readthedocs.io/
- Oracle JDBC驱动程序: https://www.oracle.com/database/technologies/appdev/jdbc.html
- 相关技能: (AWS上由OCI托管的Exadata上的Oracle数据库 — 不同产品,不同认证模型)。
odb-aws
Handoff from aws-database-selection
从aws-database-selection移交
This skill can be invoked directly, or it can be entered from the parent skill after that skill has run a requirements interview and produced a artifact. When you see a backtick-wrapped path matching in recent conversation, follow the entry protocol in :
aws-database-selectionrequirements.jsonaws_dbs_requirements/*/requirements.jsonaws-database-selection/references/handoff-contract.md- Read the artifact using .
file_read - Validate it against . If malformed or unreadable, tell the user and proceed without it.
aws-database-selection/references/workload-primary-artifact.schema.json - Acknowledge what's relevant in one or two bold sentences, citing high-level facts from the artifact (dominant shapes, hard constraints, migration context) — do not parrot the entire artifact back.
- Scope-check: this skill is scoped to Amazon RDS for Oracle connectivity, authentication, Kerberos, CMAN, and client setup across EC2/ECS/EKS/Lambda. If the artifact's or
workload_primaries.dominant_shapesdon't match that scope, emit weak backpressure per the handoff contract: suggestmigration_contextfor Exadata-class Oracle on AWS,odb-awsfor refactor-to-PostgreSQL, or go back toamazon-auroraif Oracle isn't the source engine, then ask the user whether to go back or proceed anyway. Do not silently misuse the artifact.aws-database-selection - Proceed with this skill's native workflow, citing artifact paths as evidence when recommendations are grounded in the requirements.
All user-facing output from this skill follows the markdown-primitives-only formatting convention in the handoff contract: bold labels, backticks for paths and enum values, bullet lists for alternatives, no ASCII art or box-drawing characters.
本技能可直接调用,也可在父技能完成需求调研并生成工件后进入。如果在近期对话中看到反引号包裹的路径匹配,请遵循中的移交协议:
aws-database-selectionrequirements.jsonaws_dbs_requirements/*/requirements.jsonaws-database-selection/references/handoff-contract.md- 使用读取工件。
file_read - 根据验证工件。如果格式错误或无法读取,告知用户并忽略工件继续执行。
aws-database-selection/references/workload-primary-artifact.schema.json - 用一到两句加粗句子确认相关内容,引用工件中的高级事实(主要场景、硬约束、迁移上下文) — 不要复述整个工件。
- 范围检查:本技能的范围是Amazon RDS for Oracle的连接、认证、Kerberos、CMAN以及EC2/ECS/EKS/Lambda上的客户端设置。如果工件的或
workload_primaries.dominant_shapes不符合此范围,请根据移交协议发出弱回压:建议对AWS上的Exadata级Oracle使用migration_context,对重构到PostgreSQL的场景使用odb-aws,如果Oracle不是源引擎则返回amazon-aurora,然后询问用户是返回还是继续执行。不得静默误用工件。aws-database-selection - 继续执行本技能的原生工作流,当推荐方案基于需求时引用工件路径作为依据。
本技能的所有用户输出遵循移交协议中的仅Markdown原语格式约定:加粗标签、反引号包裹路径和枚举值、项目符号列表展示替代方案,禁止使用ASCII艺术或框绘字符。