Skip to content

Latest commit

 

History

History
68 lines (57 loc) · 2.7 KB

rds-postgres-iam-authentication-01.md

File metadata and controls

68 lines (57 loc) · 2.7 KB

AWS RDS - Use IAM Authentication (PostgreSQL)

  • You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. The purpose of this exercise is to get to know an additonal method to secure access to RDS Database Instances.

Requirements

  1. Create an RDS PostgreSQL Database (for myself at the point of recording v15.3 was used as Database Engine)
    • Use Defaults - make it publicly available
    • Enable IAM Authentication
  2. Create the IAM Role/Policy
    • Create an User with IAM Credentials to Assume this Role
  3. Create the Database User in the Server - map to IAM
  4. Generate Auth Tokens
  5. Connect to the Database

Desired Architecture

RDS PostgreSQL IAM Authentication

Tips and Tricks

Connecting to PostgreSQL with PSQL and ssmode=verify-full

psql "host=<db hostname> port=5432 user=postgres dbname=postgres sslmode=verify-full sslrootcert=/Users/<user>/Downloands/eu-central-1-bundle.pem"

Create database users and then grant them the rds_iam role

CREATE USER db_userx; 
GRANT rds_iam TO db_userx;

Generating an IAM authentication token

export RDSHOST="<rds host name>"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region <region> --username <database username>)"

Connecting to the Database

psql "host=$RDSHOST port=5432 sslmode=verify-full sslrootcert=/sample_dir/global-bundle.pem dbname=DBName user=<database username> password=$PGPASSWORD"

Download the Certifications

Db Access Permission Policy

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             "arn:aws:rds-db:<region>:<account-id>:dbuser:<db-resource-id>/db_user"
         ]
      }
   ]
}

Resources

  1. Using IAM with PostgreSQL
  2. Creating and Using IAM Policy for RDS
  3. Using IAM within programming source code
  4. IAM Authentication with RDS in General
  5. RDS PEM Bundle - Download Links Here