Database authentication with Amazon RDS - Amazon Relational Database Service

Database authentication with Amazon RDS

Amazon RDS supports several ways to authenticate database users.

Password authentication

With password authentication, your DB instance performs all administration of user accounts. You create users with SQL statements such as CREATE USER and specify passwords in the IDENTIFIED BY clause.

All RDS DB engines support password authentication. For more information about password authentication, see the documentation for your DB engine.

With password authentication, your database controls and authenticates user accounts. If a DB engine has strong password management features, they can enhance security. Database authentication might be easier to administer using password authentication when you have small user communities. Because clear text passwords are generated in this case, integrating with AWS Secrets Manager can enhance security.

For information about using Secrets Manager with Amazon RDS, see Creating a basic secret and Rotating secrets for supported Amazon RDS databases in the AWS Secrets Manager User Guide. For information about programmatically retrieving your secrets in your custom applications, see Retrieving the secret value in the AWS Secrets Manager User Guide.

IAM database authentication

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MySQL and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.

For more information about IAM database authentication, including information about availability for specific DB engines, see IAM database authentication for MySQL and PostgreSQL.

Kerberos authentication

Amazon RDS supports external authentication of database users using Kerberos and Microsoft Active Directory. Kerberos is a network authentication protocol that uses tickets and symmetric-key cryptography to eliminate the need to transmit passwords over the network. Kerberos has been built into Active Directory and is designed to authenticate users to network resources, such as databases.

Amazon RDS support for Kerberos and Active Directory provides the benefits of single sign-on and centralized authentication of database users. You can keep your user credentials in Active Directory. Active Directory provides a centralized place for storing and managing credentials for multiple DB instances.

You can enable your database users to authenticate against DB instances in two ways. They can use credentials stored either in AWS Directory Service for Microsoft Active Directory or in your on-premises Active Directory.

Microsoft SQL Server, MySQL, and PostgreSQL DB instances support one- and two-way forest trust relationships. Oracle DB instances support one- and two-way external and forest trust relationships. For more information, see When to create a trust relationship in the AWS Directory Service Administration Guide.

For information about Kerberos authentication with a specific DB engine, see the following:


Currently, Kerberos authentication isn't supported for MariaDB DB instances.