Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
IAM Authentication for RDS

RDS Authentication via IAM User/Role

  1. Enable IAM Authentication in existing RDS using the link here: Enabling and Disabling IAM Database Authentication

  2. Login to RDS with master username password.

    mysql -h <RDS_ENDPOINT> --user <MASTER_USERNAME> --password
  3. Create Users with specific database access using the below commands:

    mysql> CREATE USER <USERNAME> IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
    mysql> grant all privileges on <DATABASE_NAME>.* to <USERNAME> IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
  4. Get the DB Identifier for IAM policy generation:

    DB_ID="$(aws rds describe-db-instances --query 'DBInstances[?DBInstanceIdentifier==`<RDS_NAME>`].DbiResourceId' --output text)"
  5. Generate and Attach the policy for the IAM user:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "rds-db:connect"
                ],
                "Resource": [
                    "arn:aws:rds-db:<REGION>:<ACCOUNT_ID>:dbuser:<DB_ID>/<USERNAME>"
                ]
            }
        ]
    }
  6. Use the below script to connect to the RDS:

    #!/bin/bash
    
    # Get RDS endpoint
    RDS_ENDPOINT="$(aws rds describe-db-instances --query 'DBInstances[?DBInstanceIdentifier==`<RDS_NAME>`].Endpoint.Address' --output text)"
    
    # Get Temporary Token for Connection
    TOKEN="$(aws rds generate-db-auth-token --hostname $RDS_ENDPOINT --port 3306 --region <REGION> --username <USERNAME> --output text)"
    
    # Connect to RDS using the TOKEN
    mysql --host="$RDS_ENDPOINT" --port=3306 --enable-cleartext-plugin --user="<USERNAME>" --password="$TOKEN"

Notes

  • You can add access for more RDS instances (running in different regions) in a single IAM policy

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "rds-db:connect"
                ],
                "Resource": [
                    "arn:aws:rds-db:<REGION>:<ACCOUNT_ID>:dbuser:<DB_ID1>/<USERNAME1>",
                    "arn:aws:rds-db:<REGION>:<ACCOUNT_ID>:dbuser:<DB_ID2>/<USERNAME2>",
                    "arn:aws:rds-db:<REGION>:<ACCOUNT_ID>:dbuser:<DB_ID3>/<USERNAME3>"
                ]
            }
        ]
    }
    • USERNAME1 can have read only access to DB_ID1
    • USERNAME2 can have full admin access to entire DB_ID2
    • USERNAME3 can have admin access to DB_ID3 for single database only.
  • The <USERNAME> has to be created via admin privileges.

  • Add the proper endpoints/names in the placeholders (<XXX>) given above.

  • This has been tested on a demo environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.