How to authenticate to an Amazon RDS DB instance using IAM credentials
To set up IAM database authentication using IAM roles, follow these steps:
1. Enable IAM DB authentication on the DB instance.
2. Create a database user account that uses an AWS authentication token.
3. Add an IAM policy that maps the database user to the IAM role.
4. Attach the IAM role to the EC2 instance.
5. Generate an AWS authentication token to identify the IAM role.
6. Download the SSL root certificate file or certificate bundle file.
7. Connect to the DB instance using IAM role credentials and the authentication token or an SSL certificate.
Example:
1. Enable IAM DB authentication on the DB instance.
2. Create a database user account that uses an AWS authentication token.
Login using admin user and create an user account. In that example I have created a user name "nazmul". IAM database authentication requires a secure socket layer (SSL) connection. This means that all data transmitted to and from your DB instance is encrypted.
CREATE USER nazmul IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';
ALTER USER 'nazmul'@'%' REQUIRE SSL;
GRANT all privileges ON *.* TO 'nazmul'@'%';
3. Add an IAM policy that maps the database user to the IAM role.
Here is the format of resource that you will need to consider:
arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name
region is the AWS Region for the DB instance.
account-id is the AWS account number for the DB instance.
DbiResourceId is the identifier for the DB instance. This identifier is unique to an AWS Region and never changes.
To find a DB instance resource ID in the AWS Management Console for Amazon RDS, choose the DB instance to see its details. Then choose the Configuration tab. The Resource ID is shown in the Configuration section.
Alternatively, you can use the AWS CLI command to list the identifiers and resource IDs for all of your DB instance in the current AWS Region, as shown following.
aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DbiResourceId]"
Go to Role and click "Create Role"
4. Attach the IAM role to the EC2 instance.
5. Generate an AWS authentication token to identify the IAM role.
IAM database authentication tokens are generated using your AWS access keys. You don't need to store database user credentials. Authentication tokens have a lifespan of 15 minutes, so you don't need to enforce password resets.
# TOKEN="$(aws rds generate-db-auth-token --hostname test.cajktdfhjjbk.eu-west-1.rds.amazonaws.com --port 3306 --region eu-west-1 --username nazmul)"
6. Download the SSL root certificate file or certificate bundle file.
# pwd
/root
# wget https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
--2021-05-25 14:55:30-- https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
Resolving s3.amazonaws.com (s3.amazonaws.com)... 52.217.36.198
Connecting to s3.amazonaws.com (s3.amazonaws.com)|52.217.36.198|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1456 (1.4K) [binary/octet-stream]
Saving to: ‘rds-ca-2019-root.pem’
rds-ca-2019-root.pem 100%[============================================================================>] 1.42K --.-KB/s in 0s
2021-05-25 14:55:31 (66.7 MB/s) - ‘rds-ca-2019-root.pem’ saved [1456/1456]
# ls rds*
rds-ca-2019-root.pem
7. Connect to the DB instance using IAM role credentials and the authentication token or an SSL certificate.
# mysql --host=test.cajktdfhjjbk.eu-west-1.rds.amazonaws.com --port=3306 --ssl-ca=/root/rds-ca-2019-root.pem --enable-cleartext-plugin --user=nazmul --password=$TOKEN
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 127
Server version: 8.0.20 Source distribution
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>