Moving from standard IAM authentication to end-to-end IAM authentication for RDS Proxy - Amazon Relational Database Service

Moving from standard IAM authentication to end-to-end IAM authentication for RDS Proxy

If you currently use standard IAM authentication for RDS Proxy, where clients authenticate to the proxy using IAM but the proxy connects to the database using secrets, you can migrate to end-to-end IAM authentication where both client-to-proxy and proxy-to-database connections use IAM authentication.

To move to end-to-end IAM authentication

  1. Update RDS Proxy IAM role permissions

    Create an updated proxy permission policy that includes both Secrets Manager and rds:db-connect permissions:

    # Create updated proxy permission policy
cat > updated-proxy-policy.json ≪ EOF
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GetSecretsValue",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:secretsmanager:us-east-1:123456789012:secret:secretName-1234f"
      ]
    },
    {
      "Sid": "RdsDBConnect",
      "Action": [
        "rds-db:connect"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:rds-db:us-east-1:123456789012:dbuser:cluster-ABCDEFGHIJKL01234/jane_doe"
      ]
    }
  ]
}

    Update proxy your role policy:

    aws iam put-role-policy \
            --role-name RDSProxyRole \
            --policy-name UpdatedProxyPermissions \
            --policy-document file://updated-proxy-policy.json

  2. Modify your RDS Proxy to enable end-to-end IAM authentication

    aws rds modify-db-proxy \
  --db-proxy-name my-database-proxy \
  --default-auth-scheme IAM_AUTH \
  --region us-east-1

    Verify that RDS Proxy status is Available and DefaultAuthScheme is IAM_AUTH before proceeding to ensure zero downtime during migration.

    aws rds describe-db-proxies --db-proxy-name my-database-proxy --region us-east-1

    Expected output:

    {
  "DBProxies": [
    {
      "DBProxyName": "my-database-proxy",
      "DBProxyArn": "arn:aws:rds:us-east-1:123456789012:db-proxy:prx-0123456789abcdef",
      "Status": "available",
      ...
      "DefaultAuthScheme": "IAM_AUTH"
    }
  ]
}

  3. Enable IAM authentication on database

    aws rds modify-db-cluster \
  --db-cluster-identifier my-database-cluster \
  --enable-iam-database-authentication \
  --region us-east-1

  4. Configure database user for IAM authentication

    For RDS for PostgreSQL:

    GRANT rds_iam TO jane_doe;

    For RDS for MySQL and RDS for MariaDB:

    ALTER USER 'jane_doe' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
ALTER USER 'jane_doe'@'%' REQUIRE SSL;

  5. Your client application code doesn't need to change. The connection process remains the same:

    For RDS for PostgreSQL:

    # Generate authentication token
export PGPASSWORD=$(aws rds generate-db-auth-token \
  --hostname my-database-proxy.proxy-ABCDEFGHIJKL01234.us-east-1.rds.amazonaws.com \
  --port 5432 \
  --username jane_doe \
  --region us-east-1)

# Connect to database through proxy
psql "host=my-database-proxy.proxy-ABCDEFGHIJKL01234.us-east-1.rds.amazonaws.com port=5432 user=jane_doe dbname=postgres password=$PGPASSWORD sslmode=require sslrootcert=us-east-1-bundle.pem"

    For RDS for MySQL and RDS for MariaDB:

    # Generate authentication token
export MYSQL_PWD=$(aws rds generate-db-auth-token \
  --hostname my-database-proxy.proxy-ABCDEFGHIJKL01234.us-east-1.rds.amazonaws.com \
  --port 3306 \
  --username jane_doe \
  --region us-east-1)

# Connect to database through proxy
mysql -h my-database-proxy.proxy-ABCDEFGHIJKL01234.us-east-1.rds.amazonaws.com \
  -P 3306 \
  -u jane_doe \
  --ssl-ca=us-east-1-bundle.pem \
  --enable-cleartext-plugin