Configuring IAM authentication for logical replication connections - Amazon Aurora
PrerequisitesEnabling IAM authenticationDisabling IAM authenticationLimitations

Configuring IAM authentication for logical replication connections

Starting with Aurora PostgreSQL versions 11 and higher, you can use AWS Identity and Access Management (IAM) authentication for replication connections. This feature enhances security by allowing you to manage database access using IAM roles instead of passwords. It works at the cluster level and follows the same security model as standard IAM authentication.

IAM authentication for replication connections is an opt-in feature. To enable it, set the rds.iam_auth_for_replication parameter to 1 in your DB cluster parameter group. As this is a dynamic parameter, your DB cluster doesn't need to restart, enabling you to leverage IAM authentication with existing workloads without downtime. Before enabling this feature, you must meet the Prerequisites listed below.

Prerequisites

To use IAM authentication for replication connections, you need to meet all of the following requirements:

Note

Both IAM authentication and logical replication must be enabled on your publisher Aurora PostgreSQL DB cluster. If either one isn't enabled, you can't use IAM authentication for replication connections.

Enabling IAM authentication for replication connections

Complete the following steps to enable IAM authentication for replication connection.

  1. Verify that your Aurora PostgreSQL DB cluster meets all prerequisites for IAM authentication with replication connections. For details, see Prerequisites.

  2. Configure the rds.iam_auth_for_replication parameter by modifying your DB cluster parameter group:

    • Set the rds.iam_auth_for_replication parameter to 1. This dynamic parameter doesn't require a reboot.

  3. Connect to your database and grant the necessary roles to your replication user:

    The following SQL commands grant the necessary roles to enable IAM authentication for replication connections:

    -- Grant IAM authentication role
GRANT rds_iam TO replication_user_name;
-- Grant replication privileges
ALTER USER replication_user_name WITH REPLICATION;

After you complete these steps, the specified user must use IAM authentication for replication connections.

Important

When you enable the feature, users with both rds_iam and rds_replication roles must use IAM authentication for replication connections. This applies whether the roles are assigned directly to the user or inherited through other roles.

Disabling IAM authentication for replication connections

You can disable IAM authentication for replication connections by using any of the following methods:

  • Set the rds.iam_auth_for_replication parameter to 0 in your DB cluster parameter group

  • Alternatively, you can disable either of these features on your Aurora PostgreSQL DB cluster:

    • Disable logical replication by setting the rds.logical_replication parameter to 0

    • Disable IAM authentication

When you disable the feature, replication connections can use database passwords for authentication if configured.

Note

Replication connections for users without the rds_iam role can use password authentication even when the feature is enabled.

Limitations and considerations

The following limitations and considerations apply when using IAM authentication for replication connections.

  • IAM authentication for replication connections is only available for Aurora PostgreSQL versions 11 and higher.

  • The publisher must support IAM authentication for replication connections.

  • The IAM authentication token expires after 15 minutes by default. You might need to refresh long-running replication connections before the token expires.