Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Enabling and Disabling IAM Database Authentication

By default, IAM database authentication is disabled on DB instances and DB clusters. You can enable IAM database authentication (or disable it again) using the AWS Management Console, AWS CLI, or the Amazon RDS API.

AWS Management Console

To create a new DB instance or DB cluster with IAM authentication by using the console, see the following workflows:

Each of these creation workflows has a Configure Advanced Settings page, where you can enable IAM DB authentication. In that page's Database Options section, choose Yes for Enable IAM DB Authentication.

To enable or disable IAM authentication for an existing DB instance or cluster

  1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. From the dashboard, choose either Instances or Clusters.

  3. Choose the DB instance or DB cluster that you want to modify, and then choose Instance Actions, Modify or Modify Cluster as appropriate.

  4. In the Database Options section, for Enable IAM DB Authentication choose Yes (to enable) or No (to disable), and then choose Continue.

  5. Choose Modify DB Instance or Modify Cluster as appropriate.

To restore a DB instance or cluster

  1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. From the dashboard, choose Snapshots.

  3. Choose the snapshot you want to restore, and then choose Snapshot Actions, Restore Snapshot.

  4. In the Database Options section, go to Enable IAM DB Authentication and choose Yes (to enable) or No (to disable).

  5. Choose Restore DB Instance.

AWS CLI

To create a new DB instance or DB cluster with IAM authentication by using the AWS CLI, use one of the following commands:

Specify the --enable-iam-database-authentication option, as shown in the following example.

Copy
aws rds create-db-instance \ --db-instance-identifier mydbinstance \ --db-instance-class db.m3.medium \ --engine MySQL \ --allocated-storage 20 \ --master-username masterawsuser \ --master-user-password masteruserpassword \ --enable-iam-database-authentication

For an existing DB instance or DB cluster, use one of the following AWS CLI commands:

Specify either the --enable-iam-database-authentication or --no-enable-iam-database-authentication option, as appropriate.

By default, Amazon RDS modifies the DB instance during the next maintenance window. If you want to override this and enable IAM DB authentication as soon as possible, use the --apply-immediately parameter.

The following example shows how to immediately enable IAM authentication for an existing DB instance.

Copy
aws rds modify-db-instance \ --db-instance-identifier mydbinstance \ --apply-immediately \ --enable-iam-database-authentication

If you are restoring a DB instance or DB cluster, use one of the following AWS CLI commands:

The IAM database authentication setting defaults to that of the source snapshot. To change this setting, set the --enable-iam-database-authentication or --no-enable-iam-database-authentication option, as appropriate.

Amazon RDS API

For a new DB instance or DB cluster, use one of the following API actions:

Set the EnableIAMDatabaseAuthentication parameter to true.

For an existing DB instance or DB cluster, use one of the following API actions:

Set the EnableIAMDatabaseAuthentication to true to enable IAM authentication, or false to disable it.

If you are restoring a DB instance or DB cluster, use one of the following API actions:

The IAM database authentication setting defaults to that of the source snapshot. To change this setting, set the EnableIAMDatabaseAuthentication to true to enable IAM authentication, or false to disable it.