Connect to an Amazon RDS or Amazon Aurora instance using a federated user with AWS IAM Identity Center and IAM database authentication

Amazon Aurora, which is compatible with MySQL and PostgreSQL, combines the speed and availability of high-end commercial databases with the simplicity and cost-effectiveness of open-source databases. Amazon Relational Database Service (Amazon RDS) simplifies setting up, operating, and scaling relational databases in the cloud. It offers cost-efficient, resizable capacity while automating administrative tasks such as hardware provisioning, database setup, patching, and backups.

To enhance security and streamline access, you can connect to your RDS or Aurora instances using federated users with AWS IAM Identity Center and AWS Identity and Access Management (IAM) database authentication. This integration allows you to manage database access through IAM Identity Center, providing secure, centralized authentication. With IAM database authentication, you can authenticate to your databases using IAM credentials, eliminating the need for database-specific user names and passwords. This approach provides fast performance, high availability, and robust security for your applications, allowing you to focus on development and innovation.

In this post, we share the steps to connect to an Amazon RDS for PostgreSQL or Amazon Aurora PostgreSQL-Compatible Edition instance using a federated user with IAM Identity Center and IAM database authentication.

Solution overview

With IAM database authentication, you use an authentication token when you connect to your DB instance. IAM Identity Center makes it straightforward to centrally manage access, single sign-on (SSO), and user permissions across to all your AWS accounts in AWS Organizations. This also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications, IAM Identity Center integrated applications, as well as custom applications that support SAML 2.0. IAM Identity Center includes a user portal where end-users can find and access all their assigned AWS accounts, cloud applications, and custom applications in one place.

In the following sections, we guide you through the prerequisites and a sample setup to demonstrate the capabilities of SSO with IAM Identity Center. Although IAM Identity Center can greatly simplify the management of access, SSO, and user permissions across your AWS accounts within an organization, you should exercise your own discretion and due diligence when implementing it in a production environment.

Prerequisites

Before you get started, make sure you have the following prerequisites:

• An AWS account with an IAM role that is enabled for IAM Identity Center
• An RDS for PostgreSQL or Aurora PostgreSQL instance
• IAM Identity Center set up and integrated with your corporate identity provider
• The AWS Command Line Interface (AWS CLI) v2 installed.
• Necessary IAM permissions for the IAM Identity Center users to connect to the database.

Deploy the solution

Complete the following steps to deploy the solution:

1. Enable IAM Identity Center on the IAM Identity Center console (if not enabled already).
   When you enable IAM Identity Center for the first time, it is automatically configured with an IAM Identity Center directory as your default identity source.
2. On the IAM Identity Center console, choose Users in the navigation pane.
3. Create a user and on Specify user details page, provide the necessary details.
   While specifying the user details, under Password, if you chose Send an email to this user with password setup instructions while creating your user, you will receive an email. Choose Accept Invitation in the email and set the password for the user in the redirected link.
4. Choose Permission sets in the navigation pane and create a custom permission set, attaching the following policy which allows a user to connect to a DB instance using IAM database authentication:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "rds-db:connect"
               ],
               "Resource": [
                   "arn:aws:rds-db:<region>:<AWS Account ID>:dbuser:<Cluster Resource ID for Aurora and Instance Resource ID for RDS>/<username>"
               ]
           }
       ]
   }

   Replace <region>, <AWS Account ID>, <Cluster Resource ID for Aurora and Instance Resource ID for RDS> and <username> with your AWS Region for the DB instance, Account Number, Cluster/DB resource ID and User Name connecting to the DB.

5. Choose AWS accounts in the navigation pane, select your AWS account, and choose Assign users or groups.
6. To assign user access, choose the user you created, then choose Next.
7. Choose the permission set you created, then choose Submit.
8. Run the aws configure sso command and follow the prompts to provide your IAM Identity Center start URL and the AWS Region that hosts the IAM Identity Center directory:

   [ec2-user@ip-aa-bb-cc-dd ~]$ aws configure sso
   
   SSO session name (Recommended): my-sso-session
   SSO start URL [None]: https://my-sso-start-url.awsapps.com/start
   SSO region [None]: us-east-1
   SSO registration scopes [None]: sso:account:access
   

   Replace my-sso-start-url.awsapps.com/start with your actual IAM Identity Center start URL and replace us-east-1 with the Region hosting your IAM Identity Center directory.

   After you provide these details, the AWS CLI guides you through the rest of the configuration process, including logging in to your SSO account and selecting the AWS accounts and roles you want to access.

   You can use the aws sts get-caller-identity command to verify the details about the IAM identity used to make the request. The output includes the following information:

   • UserId – The unique identifier of the IAM user or role making the request
   • Account – The AWS account ID that owns the IAM user or role
   • ARN – The Amazon Resource Name (ARN) associated with the IAM user or role

   The following is an example of the output:

   [ec2-user@ip-aa-bb-cc-dd ~]$ aws sts get-caller-identity --profile IAM-auth-permission-set-949630922063
   {
       "UserId": "ABCD12FGHI34JKLM56NOP:identity-center-user",
       "Account": "123456789012",
       "Arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_IAM-auth-permission-set_12a345678b9cd012/identity-center-user"
   }

9. Enable IAM database authentication by modifying the DB instance.
10. Log in to the instance and create a database user for IAM database authentication:

    CREATE USER testuser;
    GRANT rds_iam TO testuser;

11. Generate a token using the generate-db-auth-token command and connect to the instance:

    [ec2-user@ip-aa-bb-cc-dd ~]$ export RDSHOST=database-2.abcdghijmnop.us-east-1.rds.amazonaws.com
    [ec2-user@ip-aa-bb-cc-dd ~]$ export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-east-1 --username testuser --profile IAM-auth-permission-set-123456789012)"
    [ec2-user@ip-aa-bb-cc-dd ~]$ psql -h$RDSHOST -U testuser -d postgres
    psql (10.21)
    SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
    Type "help" for help.
    
    postgres=> select current_user;
     current_user
    --------------
     testuser
    (1 row)

Best practices

To help secure your AWS resources, follow these best practices:

• IAM roles and policies – Define and attach IAM roles with appropriate permissions for federated users. Make sure the roles have policies granting access to RDS or Aurora instances and IAM Identity Center. Regularly update and rotate IAM roles and policies to minimize risk.
• Monitor and audit access – Use AWS CloudTrail and Amazon RDS or Aurora logs to monitor and audit access to your database instances. This helps you identify and investigate any suspicious activities. Configure Amazon CloudWatch alarms and Amazon Simple Notification Service (Amazon SNS) to notify you of unusual or unauthorized access patterns or potential security issues.
• Limit privileges – Apply the principle of least privilege by granting only the permissions necessary for users to perform their tasks. This reduces the risk of unauthorized access.
• Choose workloads wisely – IAM database authentication should only be used for workloads that can be retried with minimal difficulty and when your application has to establish fewer than 200 new connections for IAM database authentication every second.

Using best practices when implementing IAM roles and policies is highly advised. Update your connection and authentication procedures as AWS services and best practices evolve. Stay informed about new features and security improvements. Refer to Security best practices in IAM for additional details.

Clean up

As part of this setup, you deployed Amazon RDS and IAM Identity Center resources in your AWS account. These resources incur costs as long as they are in use. Be sure to remove any resources you no longer need. To clean up your resources, follow these steps:

1. Remove the IAM roles and policies created for database access.
2. Modify your RDS or Aurora instance to disable IAM database authentication if no longer needed.
3. Make sure temporary credentials are properly revoked and not stored insecurely.

Conclusion

In this post, we discussed how to connect to RDS or Aurora instances using federated users with IAM Identity Center and IAM database authentication. This solution provides a secure and scalable way to manage database access without the need for long-term credentials. By using IAM roles and policies, you can enforce secure access to your databases. By following these best practices, you can enhance the security and efficiency of your database management in AWS.

If you have feedback about this post, submit it in the comments section.

About the Authors

Ayushi Gupta is a Senior Technical Account Manager at Amazon Web Services, where she provides advocacy and guidance to customers throughout their cloud journey. As part of the global team of database evangelists, she focuses on strategizing optimal cloud deployments to enhance both data performance and security. Ayushi is passionate about helping customers optimize their cloud solutions while ensuring robust data protection, compliance, and enabling businesses to scale securely.

Abhiram G N is a Software Development Engineer at Amazon Web Services. He works on improving build, test, and development processes for relational database engines. Open source databases like MySQL, MariaDB, and PostgreSQL are of particular interest to him.

Mohammed Asadulla Baig is a Senior Technical Account Manager with AWS Enterprise Support. Asad helps customers architect scalable, resilient, and secure solutions. He is a trusted advisor, guiding customers on using advanced AWS services like Amazon Aurora and Amazon RDS for PostgreSQL to drive operational excellence. With a keen eye for innovation and a passion for delivering customer success, Asad has established himself as a thought leader in the industry, helping enterprises navigate their cloud transformation journeys with confidence and ease.