Amazon RDS for Oracle — Connectivity
Safety guidance
This skill covers creating and modifying RDS for Oracle resources when the user requests it. The agent MUST confirm the action with the user before executing. Do NOT execute any create or modify operation without explicit user confirmation (e.g., "yes", "proceed", "confirmed", "go ahead"). If the user has not confirmed, present the planned action and ask for approval.
Execute these operations (after user confirmation)
- Create an instance: (requires a DB subnet group; RDS Oracle is VPC-only and not publicly accessible by default)
- Create a custom parameter group:
create-db-parameter-group
(family , , etc.)
- Create an option group: (for Oracle Native Network Encryption, TLS/TCPS, S3 integration, APEX, Spatial)
- Change backup retention:
modify-db-instance --backup-retention-period
- Enable/disable deletion protection:
modify-db-instance --deletion-protection
- Change CloudWatch log exports:
modify-db-instance --cloudwatch-logs-export-configuration
- Attach/detach parameter group or option group:
modify-db-instance --db-parameter-group-name / --option-group-name
- Tag resources: ,
remove-tags-from-resource
Resource tagging (always apply on resource creation)
When creating any RDS for Oracle resource (
,
create-db-parameter-group
,
,
create-db-instance-read-replica
), ALWAYS include these tags using the RDS list-of-records
syntax:
--tags Key=created_by,Value=rds-oracle-skill Key=generation_model,Value={your-model-id}
Example:
--tags Key=created_by,Value=rds-oracle-skill Key=generation_model,Value=claude-sonnet-4-20250514
Include these tags even if the user does not mention tagging, so that they can identify the resources created via this skill. If the user provides additional tags, append these to their tags rather than replacing them. The same applies when tagging via
on existing resources.
Execute with downtime warning (warn user, then execute after they confirm)
- Change instance class:
modify-db-instance --db-instance-class
— warn: "This causes a failover in Multi-AZ configurations and brief unavailability on single-AZ instances."
- Minor engine version upgrade:
modify-db-instance --engine-version
within the same major (e.g., 19.0.0.0.ru-2024-01 → 19.0.0.0.ru-2024-04) — warn: "This triggers a restart and may cause a brief outage."
- Storage type or IOPS change:
modify-db-instance --storage-type
/ — warn: "This can cause extended IO degradation while the change applies."
- Apply immediately: any
modify-db-instance --apply-immediately
— warn: "This applies outside the maintenance window and may cause downtime now."
Do NOT execute (refuse, explain why, offer assessment instead)
- Delete instance: — irreversible data loss
- Delete automated backups:
delete-db-instance --delete-automated-backups
— destroys point-in-time recovery history
- Force failover:
reboot-db-instance --force-failover
— production impact
- Major version upgrade:
modify-db-instance --engine-version
across major versions (e.g., 19c → 21c) — requires prechecks, option group migration, and a rollback plan; should go through change-control
- Reboot: — production impact
- Promote a read replica: — breaks replication and is rarely reversible
- Enable public accessibility:
modify-db-instance --publicly-accessible true
— security regression; use SSM port forwarding, VPN, or Direct Connect instead (per the Overview's security posture)
When refusing, explain why and offer the matching assessment workflow:
"I can't perform [action] because [reason]. I can run an assessment to help you decide. The actual change should go through your team's change-control process or the AWS Console."
Overview
Amazon RDS for Oracle is a managed Oracle Database service. This skill covers the connection lifecycle: private-subnet networking (security groups on port 1521, cross-VPC peering or Transit Gateway, Route 53 private-zone endpoints), TLS/TCPS and Native Network Encryption (NNE), username/password auth with AWS Secrets Manager, Kerberos with AWS Managed Microsoft AD, connection pooling per language (python-oracledb, JDBC/HikariCP, node-oracledb, ODP.NET Core), platform patterns (EC2, ECS Fargate, EKS, Lambda, SSM port forwarding), Oracle Connection Manager (CMAN) on EC2 for HA multiplexing, and driver-specific troubleshooting.
Key constraints: RDS Oracle does NOT support RDS Proxy, does not allow SYS/SYSTEM logins, and is not publicly accessible by default — external access uses SSM port forwarding, VPN, or Direct Connect.
Routes to one of eight sub-skills: networking, connection-auth, compute-runtime, encryption, cman-proxy, client-tools, ssm-tunneling, troubleshooting. Load only the matching reference.
Security Considerations
- Encryption at rest: Enable (and optionally ) when creating the instance. RDS Oracle encryption at rest can only be set at creation time — it cannot be added later without recreating the instance.
- Encryption in transit: Enable Native Network Encryption (NNE) or TLS/TCPS via an option group; do not rely on cleartext on port 1521 for sensitive workloads.
- Network exposure: Keep the instance in private subnets with . Reach it via SSM port forwarding, VPN, or Direct Connect — never enable public access.
- Credentials: Store master and application credentials in AWS Secrets Manager and enable automatic rotation. Never hardcode credentials in code, connection strings, or logs.
- KMS key policies: When using a customer-managed KMS key for storage encryption, scope its key policy to the RDS service and the roles that need it; grant to the application role for that key only.
- Audit logging: Export the Oracle audit and alert logs to CloudWatch Logs and enable CloudTrail for RDS API auditing (see Logging and Monitoring).
Common Tasks
Verify Dependencies
Before generating connection code or running AWS commands, confirm the tools the task needs.
The AWS MCP server is recommended for streamlined AWS tool execution, but it is not required — every operation in this skill can also be run via the AWS CLI examples shown throughout.
- AWS CLI v2 with credentials via managed mechanism (IAM role, instance profile, SSO credential vending) — not pasted keys
- Language drivers: (Python), (Java 11+), (Node ≥ 6),
Oracle.ManagedDataAccess.Core
(.NET)
- SSM port forwarding: AWS CLI + Session Manager plugin
- Kerberos: AWS Managed Microsoft AD, , tool
- CMAN: Oracle Enterprise Edition BYOL license + full Oracle Client install (Instant Client is insufficient)
Constraints:
- The agent MUST check dependencies before generating code or running AWS commands.
- The agent MUST NOT instruct the user to paste passwords into connection strings because credentials MUST come from AWS Secrets Manager, an IAM/domain-managed identity, or a Kerberos ticket.
- The agent MUST tell the user which dependencies are missing and MUST respect the user's decision to abort.
- The agent MUST explain each step — what it does, why, and which tool is invoked — before running it.
Classify and Route
Map the user's question to the correct sub-skill reference, then load only those files.
| User says | Load |
|---|
| SG / VPC peering / TGW / Route 53 / port 1521 / CIDR | networking.md |
| connect / connection string / python-oracledb / JDBC / node-oracledb / ODP.NET / Secrets Manager / auth / Kerberos | connection-auth.md + language reference (python.md, java.md, nodejs.md, dotnet.md) |
| Lambda / EC2 / ECS Fargate / EKS / container / serverless / IRSA | compute-runtime.md |
| SQL Developer / Toad / SQLcl / DBeaver / sqlplus / GUI | client-tools.md |
| SSL / TLS / TCPS / NNE / encrypt / FIPS / cipher | encryption.md |
| CMAN / Connection Manager / proxy / multiplex / RDS Proxy | cman-proxy.md |
| SSM / port forward / tunnel / localhost / laptop | ssm-tunneling.md |
| ORA-12170 / ORA-12541 / ORA-01017 / ORA-12514 / ORA-28040 / DPI-1047 / DPY-6005 / timeout / refused | troubleshooting.md |
Constraints:
- The agent MUST read only reference files matching the user's question, to keep context focused.
- The agent MUST NOT generate connection code or networking config from training data alone because Oracle-on-RDS has specific constraints (no RDS Proxy, no SYS login, thin mode preference, Kerberos IDENTIFIED EXTERNALLY pattern) that LLMs regularly miss.
- The agent MUST cite ORA-error codes with their exact meaning from the troubleshooting reference, not a guessed explanation.
- If a question spans multiple sub-skills (e.g. "ECS Fargate in a different VPC with Secrets Manager"), the agent SHOULD load networking + compute-runtime + connection-auth.
Execute Workflow
Once routed, give the user a concrete, runnable answer grounded in the reference file.
Parameter acquisition:
- All required parameters (region, instance id, endpoint, service/SID, source VPC CIDR, SG ids, Secrets Manager ARN, client language/runtime) MUST be collected upfront in a single message.
- Parameter formats MUST be specified: region -style; instance id
^[a-zA-Z][a-zA-Z0-9-]{0,62}$
; endpoint <instance>.<hash>.<region>.rds.amazonaws.com
; CIDR ; ARN arn:aws:<service>:<region>:<account>:...
.
- The agent MUST accept parameters via direct input, a JSON/YAML file path, or a URL.
Tool use:
- Use AWS CLI for AWS operations (example:
aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 1521 --source-group sg-456
).
- Use bundled scripts — test_connectivity.sh, check_rds_status.sh, check_security_groups.sh, test_oracle_connection.py, check_ssl_status.sql — for diagnostics.
- Write plans, HA architectures, troubleshooting reports to .
Constraints:
- The agent MUST NOT recommend enabling public access on RDS Oracle because public RDS increases the attack surface — use SSM port forwarding, VPN, or Direct Connect.
- The agent MUST NOT recommend RDS Proxy for RDS Oracle because RDS Proxy does not support Oracle — use Oracle CMAN on EC2 instead.
- The agent MUST NOT use with positional filesystem arguments because positional filesystem args break the tool contract — use inline JSON strings.
- The agent MUST prefer thin-mode drivers (python-oracledb thin mode, node-oracledb 6+, ODP.NET Core, ojdbc11) because thin mode avoids the Oracle Client install and removes deployment complexity.
- The agent MUST write long-form outputs to so the workspace is inspectable.
Rubric-Critical Facts to Always Surface
These RDS-for-Oracle-specific facts differentiate the skill from general Oracle-on-EC2 knowledge. The #1 most important is: RDS Proxy does NOT support RDS Oracle — CMAN is the replacement. Agents without this skill get this wrong.
For "connect Python Lambda to RDS Oracle (full setup including layers, pooling, cold start)", you MUST tell the user ALL of the following seven facts:
- Lambda VPC configuration: private subnets across multiple AZs + security group allowing egress to RDS on 1521.
- python-oracledb thin mode as the default — no Lambda layer needed. Thin mode requires no Oracle Client libraries; no Instant Client, no layer. Only recommend a layer if the user specifically needs thick mode (LDAP auth or some RAC-specific features).
- Module-level connection pool outside the handler so the pool persists across warm invocations in the same container. Do NOT put pool construction inside the handler.
- Cold-start optimization with provisioned concurrency if latency-sensitive. Name "provisioned concurrency" explicitly — it is the Lambda-specific solution.
- VPC endpoint for Secrets Manager to avoid NAT gateway cost and keep secret retrieval in-VPC. This is an architectural win, not optional.
- Explicit handling for ORA-12170 on first invocation — the first cold-start connection can time out while the ENI attaches; catch this and retry, don't fail the request.
- Layer only if thick mode is required — LDAP auth or some legacy/RAC features. Do NOT blindly recommend adding layer.
For "EKS pods to RDS Oracle using Secrets Manager CSI driver, IRSA, SecretProviderClass, and deployment manifest", you MUST tell the user ALL of the following seven facts:
- Install the Secrets Store CSI Driver + AWS provider on EKS — use for the CSI driver and for the AWS provider YAML. Both are required (the driver alone doesn't know how to talk to AWS).
- Create an IAM policy granting
secretsmanager:GetSecretValue
on the specific secret ARN (not ). Scope it.
- Set up IRSA with eksctl —
eksctl utils associate-iam-oidc-provider
for the cluster's OIDC provider, then eksctl create iamserviceaccount
to bind the IAM policy to a Kubernetes ServiceAccount. Name "eksctl", "OIDC", "iamserviceaccount" explicitly — the rubric greps for these.
- Write a YAML with and expressions to extract individual secret fields (username, password) from the JSON secret blob.
- Deployment manifest mounts the CSI volume ( with
csi: { driver: secrets-store.csi.k8s.io }
) and references the correct (the one bound to the IAM role via IRSA).
- Security group rules for pod-to-RDS on port 1521 — the EKS worker node SG (or pod SG if using security groups for pods) must be allowed inbound on 1521 by the RDS SG.
- Pool sizing: total connections = replicas × max pool size per pod. Call this formula out explicitly so users know how to tune their RDS instance for N replicas.
For "ORA-12170 timeout connecting from EC2 to RDS Oracle across VPCs", you MUST tell the user ALL of the following six facts:
- Check VPC peering or Transit Gateway exists between the two VPCs, with routes in both directions (EC2's subnet route table points at the peering/TGW toward RDS's VPC CIDR, and RDS's subnet route table points back).
- Verify EC2's security group egress allows 1521 to RDS's security group or CIDR.
- Verify RDS's security group allows 1521 inbound from the EC2's security group ID (preferred) or its CIDR.
- Verify NACLs allow 1521 both ways — NACLs are stateless so a return-path NACL rule is needed on both subnets. NACLs are a common silent blocker when SGs look correct.
- Confirm the RDS endpoint resolves in the EC2's DNS — run from the EC2. If the peered VPC's DNS resolution option isn't enabled for the peering, the RDS endpoint won't resolve.
- Fastest connectivity test:
nc -zv <rds-endpoint> 1521
from the EC2. If times out while DNS works, the problem is SG/NACL/routing. Always suggest as the narrowing step.
For "DPI-1047: Cannot locate a 64-bit Oracle Client library", you MUST tell the user ALL of the following four facts:
- DPI-1047 means is running in thick mode and cannot find the Oracle Instant Client. State this explicitly as the root-cause explanation.
- Primary fix: switch to thin mode by removing
oracledb.init_oracle_client()
from the code. Thin mode has no Instant Client dependency and works for nearly all RDS Oracle use cases (including TLS, password auth, Secrets Manager, connection pooling).
- Only if thick mode is truly required (LDAP auth, some legacy features) — install the Oracle Instant Client and ensure (Linux) or (Windows) points at the Instant Client directory. Name the env-var per OS explicitly.
- Do NOT recommend blindly installing Instant Client without confirming thick mode is actually needed. The default recommendation must be "remove init_oracle_client, done." Installing Instant Client first and debugging paths is a common misdiagnosis that the rubric catches.
For "Oracle Connection Manager (CMAN) on EC2 as a proxy for RDS Oracle with HA across two AZs", you MUST tell the user ALL of the following eight facts:
- State licensing and install prerequisites UPFRONT — CMAN requires a full Oracle Client install (NOT Instant Client) and Oracle Enterprise Edition under BYOL. This is the #1 thing users get wrong. Say it first, not last.
- RDS Proxy does NOT support RDS Oracle — explicitly note this as the reason CMAN is the pattern for connection pooling/proxying on RDS Oracle. Agents often suggest RDS Proxy for Oracle and get the rubric wrong.
- Install CMAN on two EC2 instances in separate AZs for HA. Do not recommend a single EC2 — it defeats the "HA" requirement.
- Configure with (access control rules — which clients can connect through CMAN to which targets) and (listener endpoints, logging, session limits). Name both blocks by their literal names.
- Run CMAN under for auto-restart on failure — write a service unit that starts at boot.
- Front with a Network Load Balancer (NLB) across AZs for HA — clients connect to the NLB DNS, which distributes to the two CMAN EC2s. Mention NLB specifically (not ALB — Oracle TNS is TCP).
- Three-tier security group rules: clients → CMAN EC2 SG (port 1521) → RDS SG (port 1521). Each SG allows inbound only from the previous tier. This is the architectural pattern users get wrong by opening things too broadly.
- Client points at the NLB DNS name — clients connect to CMAN via NLB, CMAN forwards to RDS. Do not have clients connect to an individual EC2's DNS.
Troubleshooting
Realistic scenarios cover the three main failure classes: access denied, timeouts, resource availability.
| Error / symptom | Likely cause | Fix |
|---|
| timeout | SG blocks 1521, cross-VPC route missing, wrong endpoint | Run test_connectivity.sh; if TCP fails, check SG inbound + route tables. Cross-VPC needs peering/TGW + CIDR-based SG rules. |
| no listener | Wrong port, DB unavailable, wrong endpoint | aws rds describe-db-instances --query 'DBInstances[0].Endpoint'
; confirm . |
| invalid creds | Rotated password in Secrets Manager, Kerberos ticket expired | Re-fetch from Secrets Manager; re-run ; check SELECT username FROM dba_users
. |
| service unknown | Wrong or | SELECT value FROM v$parameter WHERE name = 'service_names'
— match exactly. |
| no matching auth protocol | Client too old | Update client to 21c+; thin mode avoids this. |
| (Python) | Thick mode enabled but Oracle Instant Client not found | Switch to thin mode by removing oracledb.init_oracle_client()
. If thick mode is required, install Instant Client and set (Linux) or (Windows). |
| (Python) | Network connection failure: connection refused, timeout, or TLS handshake error | Check endpoint, port, security group rules, DNS resolution, and TLS configuration. Same diagnostic path as ORA-12170. |
| IAM on Secrets Manager | Task role missing secretsmanager:GetSecretValue
| Attach to task execution role (ECS task definition secrets injection). |
| RDS API throttling | Exceeded request rate | Exponential backoff with jitter; check Service Quotas. |
Logging and Monitoring
Recommend enabling these when creating or operating an RDS Oracle instance:
- CloudTrail — audit RDS control-plane API calls (create / modify / delete).
- Enhanced Monitoring — OS-level metrics (, ).
- Performance Insights — query-level performance analysis (
--enable-performance-insights
).
- Log exports to CloudWatch Logs — export the Oracle , , , and logs via
--cloudwatch-logs-export-configuration
.
- CloudWatch alarms — alarm on , , and at minimum.
- Log encryption — encrypt the CloudWatch log groups with an AWS KMS key. Exported Oracle , , and logs can contain connection metadata and authentication attempts, so protect them at rest.
Additional Resources
Handoff from aws-database-selection
This skill can be invoked directly, or it can be entered from the
parent skill after that skill has run a requirements interview and produced a
artifact. When you see a backtick-wrapped path matching
aws_dbs_requirements/*/requirements.json
in recent conversation, follow the entry protocol in
aws-database-selection/references/handoff-contract.md
:
- Read the artifact using .
- Validate it against
aws-database-selection/references/workload-primary-artifact.schema.json
. If malformed or unreadable, tell the user and proceed without it.
- Acknowledge what's relevant in one or two bold sentences, citing high-level facts from the artifact (dominant shapes, hard constraints, migration context) — do not parrot the entire artifact back.
- Scope-check: this skill is scoped to Amazon RDS for Oracle connectivity, authentication, Kerberos, CMAN, and client setup across EC2/ECS/EKS/Lambda. If the artifact's
workload_primaries.dominant_shapes
or don't match that scope, emit weak backpressure per the handoff contract: suggest for Exadata-class Oracle on AWS, for refactor-to-PostgreSQL, or go back to if Oracle isn't the source engine, then ask the user whether to go back or proceed anyway. Do not silently misuse the artifact.
- Proceed with this skill's native workflow, citing artifact paths as evidence when recommendations are grounded in the requirements.
All user-facing output from this skill follows the markdown-primitives-only formatting convention in the handoff contract: bold labels, backticks for paths and enum values, bullet lists for alternatives, no ASCII art or box-drawing characters.