IAM database authentication for MariaDB, MySQL, and PostgreSQL - Amazon Relational Database Service

IAM database authentication for MariaDB, MySQL, and PostgreSQL

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MariaDB, MySQL, and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.

An authentication token is a unique string of characters that Amazon RDS generates on request. Authentication tokens are generated using AWS Signature Version 4. Each token has a lifetime of 15 minutes. You don't need to store user credentials in the database, because authentication is managed externally using IAM. You can also still use standard database authentication. The token is only used for authentication and doesn't affect the session after it is established.

IAM database authentication provides the following benefits:

  • Network traffic to and from the database is encrypted using Secure Socket Layer (SSL) or Transport Layer Security (TLS). For more information about using SSL/TLS with Amazon RDS, see Using SSL/TLS to encrypt a connection to a DB instance.

  • You can use IAM to centrally manage access to your database resources, instead of managing access individually on each DB instance.

  • For applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security.

In general, consider using IAM database authentication when your applications create fewer than 200 connections per second, and you don't want to manage usernames and passwords directly in your application code.

The AWS JDBC Driver for MySQL supports IAM database authentication. For more information, see AWS IAM Database Authentication in the AWS JDBC Driver for MySQL GitHub repository.

Availability for IAM database authentication

IAM database authentication is available for the following database engines:

  • MariaDB 10.6, all minor versions

  • MySQL 8.0, minor version 8.0.23 or higher

  • MySQL 5.7, minor version 5.7.33 or higher

  • PostgreSQL 14, 13, 12, and 11, all minor versions

  • PostgreSQL 10, minor version 10.6 or higher

  • PostgreSQL 9.6, minor version 9.6.11 or higher

  • PostgreSQL 9.5, minor version 9.5.15 or higher

IAM database authentication is available for the AWS CLI and for the following language-specific AWS SDKs:

Limitations for IAM database authentication

When using IAM database authentication, the following limitations apply:

  • The maximum number of connections per second for your DB instance might be limited depending on its DB instance class and your workload.

  • Currently, IAM database authentication doesn't support all global condition context keys.

    For more information about global condition context keys, see AWS global condition context keys in the IAM User Guide.

  • Currently, IAM database authentication isn't supported for CNAMEs.

  • For PostgreSQL, if the IAM role (rds_iam) is added to a user (including the RDS the master user), IAM authentication takes precedence over password authentication, so the user must log in as an IAM user.

Recommendations for IAM database authentication

We recommend the following when using IAM database authentication:

  • Use IAM database authentication as a mechanism for temporary, personal access to databases.

  • Use IAM database authentication when your application requires fewer than 200 new IAM database authentication connections per second.

    The database engines that work with Amazon RDS don't impose any limits on authentication attempts per second. However, when you use IAM database authentication, your application must generate an authentication token. Your application then uses that token to connect to the DB instance. If you exceed the limit of maximum new connections per second, then the extra overhead of IAM database authentication can cause connection throttling.