-
Enable IAM Authentication in existing RDS using the link here: Enabling and Disabling IAM Database Authentication
-
Login to RDS with master username password.
mysql -h <RDS_ENDPOINT> --user <MASTER_USERNAME> --password
-
Create Users with specific database access using the below commands:
mysql> CREATE USER <USERNAME> IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; mysql> grant all privileges on <DATABASE_NAME>.* to <USERNAME> IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
-
Get the DB Identifier for IAM policy generation:
DB_ID="$(aws rds describe-db-instances --query 'DBInstances[?DBInstanceIdentifier==`<RDS_NAME>`].DbiResourceId' --output text)"
-
Generate and Attach the policy for the IAM user:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds-db:connect" ], "Resource": [ "arn:aws:rds-db:<REGION>:<ACCOUNT_ID>:dbuser:<DB_ID>/<USERNAME>" ] } ] }
-
Use the below script to connect to the RDS:
#!/bin/bash # Get RDS endpoint RDS_ENDPOINT="$(aws rds describe-db-instances --query 'DBInstances[?DBInstanceIdentifier==`<RDS_NAME>`].Endpoint.Address' --output text)" # Get Temporary Token for Connection TOKEN="$(aws rds generate-db-auth-token --hostname $RDS_ENDPOINT --port 3306 --region <REGION> --username <USERNAME> --output text)" # Connect to RDS using the TOKEN mysql --host="$RDS_ENDPOINT" --port=3306 --enable-cleartext-plugin --user="<USERNAME>" --password="$TOKEN"
-
You can add access for more RDS instances (running in different regions) in a single IAM policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds-db:connect" ], "Resource": [ "arn:aws:rds-db:<REGION>:<ACCOUNT_ID>:dbuser:<DB_ID1>/<USERNAME1>", "arn:aws:rds-db:<REGION>:<ACCOUNT_ID>:dbuser:<DB_ID2>/<USERNAME2>", "arn:aws:rds-db:<REGION>:<ACCOUNT_ID>:dbuser:<DB_ID3>/<USERNAME3>" ] } ] }
USERNAME1
can have read only access toDB_ID1
USERNAME2
can have full admin access to entireDB_ID2
USERNAME3
can have admin access toDB_ID3
for single database only.
-
The
<USERNAME>
has to be created via admin privileges. -
Add the proper endpoints/names in the placeholders (
<XXX>
) given above. -
This has been tested on a demo environment.