Select Page

AWS IAM to Authenticate Against RDS Instances & Aurora Clusters

Shailesh Rangani | | February 26, 2020

You can use IAM DB authentication to authenticate your RDS instance or Aurora cluster without a password. It uses an AWS-generated token for authentication. It works for PostgreSQL and MySQL databases on RDS.

 
In the traditional method, if you want your application to talk to the database, you need a password. For many organizations, there is a JSOX requirement for rotating passwords periodically, but this task can be tedious since you’ll need to update your application configuration and test the application every time.

What if there is a feature that generates a random password, authenticates to the database and this password is only valid for a few minutes? That can be achieved against amazon RDS and Aurora clusters using IAM options!

These IAM tokens are generated and managed by AWS and they have a lifespan of 15 minutes, hence not needing to worry about password resets to meet your auditing requirement. Even if this not an auditing requirement, this can help you in avoiding unnecessary logins to the production database. IAM authenticate database via SSL so all data transmitted from application to the database are encrypted.

Let’s dig into the authentication to PostgreSQL RDS using AWS IAM.

Below are high-level steps on implementation:

1. Enable IAM authentication at RDS level

Use below “aws cli” option or AWS console to enable IAM authentication for a given instance. If you are running on the Aurora cluster, enabling this option at the cluster level will automatically apply this configuration to all its instances.

where datavail_instance can be an Aurora cluster or an RDS instance.

2. Create IAM policy

The below example policy allows an IAM user to connect to a DB instance using IAM database authentication.

121212121212: is AWS account number.

XYXYXYXYXYXYXYXYXYXYXYXYXY: is the database resource ID (in case of RDS) or cluster resource ID (in case of Aurora).

datavail_app_user: is database username for which you want IAM auth to be enabled.

3. Attached policy to AIM user or AWS resources

Create IAM policy and attached to AWS resources where your application is hosted (i.e. EC2 instance, ECS, etc.). You can also attach this policy to the respective IAM user, in this case, you will have to use access key ID and secret key on EC2 instance where your application is running.

4. Create a database user

Now create a database-level user (let’s say datavail_app_user), you do not need to provide a password for this user while creating this.

Below is an example of PostgreSQL. Refer to this link for MySQL options.

PostgreSQL:

5. Client-side certificate configuration

Download the client-side certificate bundle file here. If you are using a 2015-root certificate, it expires in 2020, refer my previous blog to rotate them to the 2019 version.

6. Manual Validation

Before jumping to connectivity from application to database, it’s advisable to validate that the token is generated successfully, and connectivity works as expected. Just as side note, if you see the token generated by policy granted to IAM user vs policy granted to AWS resources (i.e. EC2, ECS, etc.), you will find the difference in token length. The token generated via assumed role is bigger in length.

This should get you in the database. As mentioned, this token is valid for 15 minutes and expires automatically after that.

7. Sample Application code

The below is a sample working application code from Python and Go to validate IAM authentication against RDS/Aurora for your reference.

Python:

Go Lang:

Recommendation

IAM authentication should be used for that application workload:

1. Which can be easily re-triable

2. For which number of connections required are less than 256 per second

Final Thoughts

IAM authentication comes with numerous benefits like in-transit application encrypted traffic to RDS, auditing requirement of password rotations, centrally managing database access for all individual databases, instead of managing them individually; and using IAM profile credential of that EC2 instance (if the application is hosted on EC2 instance) to generate token and connect instead of using password. Datavail is a Certified AWS Partner that can  help you analyze and transition your application workload to use IAM authentication for RDS. Contact us to learn more.

Subscribe to Our Blog

Never miss a post! Stay up to date with the latest database, application and analytics tips and news. Delivered in a handy bi-weekly update straight to your inbox. You can unsubscribe at any time.

ORA-12154: TNS:could not resolve the connect identifier specified

Most people will encounter this error when their application tries to connect to an Oracle database service, but it can also be raised by one database instance trying to connect to another database service via a database link.

Jeremiah Wilton | March 4, 2009

12c Upgrade Bug with SQL Tuning Advisor

Learn the steps to take on your Oracle upgrade 11.2 to 12.1 if you’re having performance problems. Oracle offers a patch and work around to BUG 20540751.

Megan Elphingstone | March 22, 2017

Recover a Table from an RMAN Backup in an Oracle 12c

This blog post will is to show a table restore for one table in a container database.

Megan Elphingstone | February 2, 2017

Work with Us

Let’s have a conversation about what you need to succeed and how we can help get you there.

CONTACT US

Work for Us

Where do you want to take your career? Explore exciting opportunities to join our team.

EXPLORE JOBS