Amazon Aurora
User Guide (API Version 2014-10-31)

Enabling and Disabling IAM Database Authentication

By default, IAM database authentication is disabled on DB clusters. You can enable IAM database authentication (or disable it again) using the AWS Management Console, AWS CLI, or the Amazon RDS API.

AWS Management Console

To create a new DB cluster with IAM authentication by using the console, see Creating an Amazon Aurora DB Cluster.

Each of these creation workflows has a Configure Advanced Settings page, where you can enable IAM DB authentication. In that page's Database Options section, choose Yes for Enable IAM DB Authentication.

To enable or disable IAM authentication for an existing DB cluster

  1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the navigation pane, choose Clusters.

  3. Choose the DB cluster that you want to modify.

  4. Choose Cluster actions, and then choose Modify cluster.

  5. In the Database options section, for IAM DB authentication, choose Enable IAM DB authentication or Disable, and then choose Continue.

  6. To apply the changes immediately, choose Apply immediately.

  7. Choose Modify cluster.

To restore a DB cluster

  1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the navigation pane, choose Snapshots.

  3. Choose the snapshot you want to restore, and then choose Restore Snapshot from Snapshot Actions.

  4. In the Settings section, type an identifier for the DB instance in DB Instance Identifier.

  5. In the Database options section, for IAM DB authentication, choose Enable IAM DB authentication or Disable.

  6. Choose Restore DB Instance.

AWS CLI

To create a new DB cluster with IAM authentication by using the AWS CLI, use the following command:

Specify the --enable-iam-database-authentication option.

For an existing DB cluster, use one of the following AWS CLI command:

Specify either the --enable-iam-database-authentication or --no-enable-iam-database-authentication option, as appropriate.

By default, Amazon RDS performs the modification during the next maintenance window. If you want to override this and enable IAM DB authentication as soon as possible, use the --apply-immediately parameter.

If you are restoring a DB cluster, use one of the following AWS CLI commands:

The IAM database authentication setting defaults to that of the source snapshot. To change this setting, set the --enable-iam-database-authentication or --no-enable-iam-database-authentication option, as appropriate.

API

For a new DB cluster, use the following API action:

Set the EnableIAMDatabaseAuthentication parameter to true.

For an existing DB cluster, use the following API action:

Set the EnableIAMDatabaseAuthentication to true to enable IAM authentication, or false to disable it.

If you are restoring a DB cluster, use one of the following API actions:

The IAM database authentication setting defaults to that of the source snapshot. To change this setting, set the EnableIAMDatabaseAuthentication to true to enable IAM authentication, or false to disable it.