IAM database authentication for MariaDB, MySQL, and PostgreSQL (original) (raw)

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MariaDB, MySQL, and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.

An authentication token is a unique string of characters that Amazon RDS generates on request. Authentication tokens are generated using AWS Signature Version 4. Each token has a lifetime of 15 minutes. You don't need to store user credentials in the database, because authentication is managed externally using IAM. You can also still use standard database authentication. The token is only used for authentication and doesn't affect the session after it is established.

IAM database authentication provides the following benefits:

• Network traffic to and from the database is encrypted using Secure Socket Layer (SSL) or Transport Layer Security (TLS). For more information about using SSL/TLS with Amazon RDS, see Using SSL/TLS to encrypt a connection to a DB instance or cluster.
• You can use IAM to centrally manage access to your database resources, instead of managing access individually on each DB instance.
• For applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security.

In general, consider using IAM database authentication when your applications create fewer than 200 connections per second, and you don't want to manage usernames and passwords directly in your application code.

The Amazon Web Services (AWS) JDBC Driver supports IAM database authentication. For more information, seeAWS IAM Authentication Plugin in the Amazon Web Services (AWS) JDBC Driver GitHub repository.

The Amazon Web Services (AWS) Python Driver supports IAM database authentication. For more information, seeAWS IAM Authentication Plugin in the Amazon Web Services (AWS) Python Driver GitHub repository.

Navigate through the following topics to learn the process to set IAM for DB authentication:

• Enabling and disabling IAM database authentication
• Creating and using an IAM policy for IAM database access
• Creating a database account using IAM authentication
• Connecting to your DB instance using IAM authentication

Region and version availability

Feature availability and support varies across specific versions of each database engine. For more information on engine, version, and Region availability with Amazon RDS and IAM database authentication, see Supported Regions and DB engines for IAM database authentication in Amazon RDS.

CLI and SDK support

IAM database authentication is available for the AWS CLI and for the following language-specific AWS SDKs:

• AWS SDK for .NET
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java
• AWS SDK for JavaScript
• AWS SDK for PHP
• AWS SDK for Python (Boto3)
• AWS SDK for Ruby

Limitations for IAM database authentication

When using IAM database authentication, the following limitations apply:

• IAM database authentication throttles connections at 200 connections per second.
  Connections that use the same authentication token are not throttled. We recommend that you reuse authentication tokens when possible.
• Currently, IAM database authentication doesn't support all global condition context keys.
  For more information about global condition context keys, see AWS global condition context keys in the_IAM User Guide_.
• For PostgreSQL, if the IAM role (rds_iam) is added to a user (including the RDS master user), IAM authentication takes precedence over password authentication, so the user must log in as an IAM user.
• For PostgreSQL, Amazon RDS does not support enabling both IAM and Kerberos authentication methods at the same time.
• For PostgreSQL, you cannot use IAM authentication to establish a replication connection.
• You cannot use a custom Route 53 DNS record instead of the DB instance endpoint to generate the authentication token.
• CloudWatch and CloudTrail don't log IAM authentication. These services do not track generate-db-auth-token API calls that authorize the IAM role to enable database connection.
• IAM DB authorization requires compute resources on the database instance. You must have between 300 and 1000 MiB extra memory on your database for reliable connectivity. To see the memory needed for your workload, compare the RES column for RDS processes in the Enhanced Monitoring processlist before and after enabling IAM DB authentication. See Viewing OS metrics in the RDS console.
  If you are using a burstable class instance, avoid running out of memory by reducing the memory used by other parameters like buffers and cache by the same amount.
• For RDS for MySQL, you cannot use password based authentication for a database user you configure with IAM authentication.

Recommendations for IAM database authentication

We recommend the following when using IAM database authentication:

• Use IAM database authentication when your application requires fewer than 200 new IAM database authentication connections per second.
  The database engines that work with Amazon RDS don't impose any limits on authentication attempts per second. However, when you use IAM database authentication, your application must generate an authentication token. Your application then uses that token to connect to the DB instance. If you exceed the limit of maximum new connections per second, then the extra overhead of IAM database authentication can cause connection throttling.
  Consider using connection pooling in your applications to mitigate constant connection creation. This can reduce the overhead from IAM DB authentication and allow your applications to reuse existing connections. Alternatively, consider using RDS Proxy for these use cases. RDS Proxy has additional costs. SeeRDS Proxy pricing.
• The size of an IAM database authentication token depends on many things including the number of IAM tags, IAM service policies, ARN lengths, as well as other IAM and database properties. The minimum size of this token is generally about 1 KB but can be larger. Since this token is used as the password in the connection string to the database using IAM authentication, you should ensure that your database driver (e.g., ODBC) and/or any tools do not limit or otherwise truncate this token due to its size. A truncated token will cause the authentication validation done by the database and IAM to fail.
• If you are using temporary credentials when creating an IAM database authentication token, the temporary credentials must still be valid when using the IAM database authentication token to make a connection request.

Unsupported AWS global condition context keys

IAM database authentication does not support the following subset of AWS global condition context keys.

• aws:Referer
• aws:SourceIp
• aws:SourceVpc
• aws:SourceVpce
• aws:UserAgent
• aws:VpcSourceIp

For more information, see AWS global condition context keys in the_IAM User Guide_.