Using database roles with IAM roles - Amazon Aurora DSQL
Authorize database roles to connect to a clusterAuthorize database roles to use SQL in a databaseRevoke database authorization from an IAM role

Amazon Aurora DSQL is provided as a Preview service. To learn more, see Betas and Previews in the AWS Service Terms.

Using database roles with IAM roles

The following sections describe how to use database roles from PostgreSQL with IAM roles in Aurora DSQL.

Authorize database roles to connect to a cluster

Create an IAM role and grant connection authorization with the IAM policy action: dsql:DbConnect

The IAM policy must also grant permission to access the cluster resource(s). Use a wildcard * or How to restrict access to cluster ARNs.

Authorize database roles to use SQL in a database

You must use an IAM role with authorization to connect to the cluster.

  1. Connect as a admin

    Use the admin database role with an IAM identity that is authorized for IAM action dsql:DbConnectAdmin to connect to your cluster.

  2. Create a new database role

    CREATE ROLE example WITH LOGIN;

  3. Associate the database role with the AWS IAM role ARN

    AWS IAM GRANT example TO 'arn:aws:iam::111122223333:role/example';

  4. Grant database-level permissions to the database role

    Use GRANT to provide authorization within the database.

    GRANT USAGE ON SCHEMA myschema TO example;
    GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA myschema TO example;

For more information, see PostgreSQL GRANT and PostgreSQL Privileges.

Revoke database authorization from an IAM role

To revoke database authorization, use the AWS IAM REVOKE operation.

AWS IAM REVOKE example FROM 'arn:aws:iam::111122223333:role/example';

To learn more about revoking authorization, see Revoking authorization using IAM and PostgreSQL.