Use Amazon RDS Proxy with IAM authentication for cross-account access

This post is a follow-up to Use Amazon RDS Proxy to provide access to RDS databases across AWS accounts, addressing cross-account connectivity when using RDS Proxy. We discuss how you can achieve cross-account connectivity while taking advantage of the simplicity and benefits of IAM authentication.

Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon Relational Database Service (Amazon RDS) that makes applications more scalable, more resilient to database failures, and more secure. With RDS Proxy, applications can pool and share connections established with the database, improving database efficiency and application scalability. Also, access can be managed through integration with AWS Secrets Manager and AWS Identity and Access Management (IAM).

Solution overview

In this section, we provide a walkthrough of the solution architecture for facilitating cross-account IAM authentication with RDS Proxy.

In this architecture, we perform cross-account IAM authentication using Amazon RDS Proxy. The process involves assuming a role in the database account where your RDS Proxy is configured, generating a token, and using that token for authentication from the application account where your applications are running.

The following GitHub repository shows you how to create the necessary AWS resources and infrastructure in your accounts, facilitating the implementation of this solution. You can test and experiment with this solution in your non-production accounts, and tailor it to meet your specific requirements and needs.

The following diagram illustrates the services and resources involved in the solution architecture. With the exception of the AWS accounts and AWS Organizations, all of these resources are deployed in the sample code available in the GitHub repository.

Once the solution is deployed, a cross-account database connection is made with the following steps:

1. A Lambda function in the application account executes, taking in a database username and database name as input.
2. The function assumes an IAM role in the database account, and uses the assumed role to generate an authentication token serving as a temporary credential for the provided user to access an Aurora PostgreSQL database in the database account.
3. The function then creates a database connection. It uses a cross-VPC RDS proxy endpoint for the hostname, which exposes the Aurora PostgreSQL database in the database VPC to the function in the application VPC. Along with the authentication token and provided username and database name, a successful database connection is made and validated by the Lambda function code.

To successfully implement this cross-account RDS Proxy solution using IAM, it’s crucial to pay close attention to the following:

• Application account IAM policy – This policy code in GitHub allows an IAM entity to assume a role in the database account to perform IAM authentication to the database. An IAM policy is required to grant the necessary permissions to the IAM entity (a role or user) in the source account, allowing it to assume the IAM role in the target account where the database resides. This role assumption enables the IAM authentication process, facilitating secure access to the DB instance.
• Database account IAM role – This role is for a principal in the application account to access the RDS Proxy with IAM authentication. The IAM role needs to be created in the Proxy’s account, to allow Proxy to successfully authenticate. Applications in the application account have to assume this role first, and use the assumed role credentials to generate the IAM auth token.

When an application connects to RDS Proxy, the proxy retrieves the corresponding secret from AWS Secrets Manager based on the username passed to ‘generate-db-auth-token‘, and the proxy looks for secret credentials matching that username.

For example, run the following AWS CLI command from your local machine to generate the authentication token:

aws rds generate-db-auth-token --hostname <ProxyEndpoint> --port <xxxx> --region <Region> --username <UserName>

Currently, while using IAM authentication, the RDS proxy only handles the IAM piece, and still requires secrets from Secrets Manager to authenticate users to the actual database.

The GitHub deployment in this project sets up a single Aurora instance, which you can customize to multiple instances based on your requirements.

Deploy the solution

For a complete walkthrough of deploying a demo solution, refer to the GitHub repository.

Conclusion

In this post, we introduced a GitHub CDK project that creates infrastructure to demonstrate how to setup a cross-account connection using RDS proxy endpoints and IAM authentication. This solution is applicable with the Amazon RDS and Aurora engines and versions supported by RDS Proxy. Give it a try and let us know your feedback in the comments section.

About the Authors

Brendan Coli is a Cloud Infrastructure Architect with Amazon Web Services.

Saikat Banerjee is a Database Specialist Solutions Architect with Amazon Web Services.

Sukhomoy Basak is a Solutions Architect at Amazon Web Services, with a passion for data and analytics solutions. Sukhomoy works with enterprise customers to help them architect, build, and scale applications to achieve their business outcomes.

Ryan Shevchik is a Database Specialist Solutions Architect with Amazon Web Services.