Skip to content

Instantly share code, notes, and snippets.

@takenoko-str

takenoko-str/iam_authentication_for_rds.md

Forked from varunchandak/iam_authentication_for_rds.md
Created August 26, 2022 12:52
Show Gist options
  • Save takenoko-str/fa10826f25df81f3e6a79a4f8aecb2e4 to your computer and use it in GitHub Desktop.
Save takenoko-str/fa10826f25df81f3e6a79a4f8aecb2e4 to your computer and use it in GitHub Desktop.
Download ZIP
IAM Authentication for RDS
Raw
iam_authentication_for_rds.md

RDS Authentication via IAM User/Role

  1. Enable IAM Authentication in existing RDS using the link here: Enabling and Disabling IAM Database Authentication

  2. Login to RDS with master username password.

    mysql -h <RDS_ENDPOINT> --user <MASTER_USERNAME> --password

  3. Create Users with specific database access using the below commands:

    mysql> CREATE USER <USERNAME> IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
mysql> grant all privileges on <DATABASE_NAME>.* to <USERNAME> IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

  4. Get the DB Identifier for IAM policy generation:

    DB_ID="$(aws rds describe-db-instances --query 'DBInstances[?DBInstanceIdentifier==`<RDS_NAME>`].DbiResourceId' --output text)"

  5. Generate and Attach the policy for the IAM user:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:<REGION>:<ACCOUNT_ID>:dbuser:<DB_ID>/<USERNAME>"
            ]
        }
    ]
}

  6. Use the below script to connect to the RDS:

    #!/bin/bash

# Get RDS endpoint
RDS_ENDPOINT="$(aws rds describe-db-instances --query 'DBInstances[?DBInstanceIdentifier==`<RDS_NAME>`].Endpoint.Address' --output text)"

# Get Temporary Token for Connection
TOKEN="$(aws rds generate-db-auth-token --hostname $RDS_ENDPOINT --port 3306 --region <REGION> --username <USERNAME> --output text)"

# Connect to RDS using the TOKEN
mysql --host="$RDS_ENDPOINT" --port=3306 --enable-cleartext-plugin --user="<USERNAME>" --password="$TOKEN"

Notes

  • You can add access for more RDS instances (running in different regions) in a single IAM policy

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:<REGION>:<ACCOUNT_ID>:dbuser:<DB_ID1>/<USERNAME1>",
                "arn:aws:rds-db:<REGION>:<ACCOUNT_ID>:dbuser:<DB_ID2>/<USERNAME2>",
                "arn:aws:rds-db:<REGION>:<ACCOUNT_ID>:dbuser:<DB_ID3>/<USERNAME3>"
            ]
        }
    ]
}
    • USERNAME1 can have read only access to DB_ID1
    • USERNAME2 can have full admin access to entire DB_ID2
    • USERNAME3 can have admin access to DB_ID3 for single database only.

  • The <USERNAME> has to be created via admin privileges.

  • Add the proper endpoints/names in the placeholders (<XXX>) given above.

  • This has been tested on a demo environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment