DEV Community

Revathi Joshi for AWS Community Builders

Posted on

Connecting to RDS MySQL DB instance without a password, using IAM authentication - 1

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication using IAM users and roles. IAM database authentication works with MariaDB, MySQL, and PostgreSQL. Also works with Aurora MySQL, Aurora PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB cluster. Instead, you use an authentication token for greater security. Also, the network traffic to and from the database is encrypted using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

An authentication token is a unique string of characters that Amazon RDS generates on request. Each token has a lifetime of 15 minutes. The token is only used for authentication and doesn't affect the session after it is established.

Advantages:

1. Easy to manage to IAM roles, instead of managing access individually on each cluster

2. Applications on EC2 can leverage instance profile

3. Network traffic is encrypted

4. Easy to enable without downtime

Please visit my GitHub Repository for RDS articles on various topics being updated on constant basis.

Letโ€™s get started!

I am going to divide this article into 2 parts

Objectives:

1. Create EC2 Security Group - SSH-launch / launch-wizard-1

2. Create Security Group for RDS - RDS-SG

3. Create RDS MySQL database - database-1

4. Create EC2 instance - my-EC2

5. Enable IAM Authentication on RDS MYSQL database

6. Create a DB user rev account that uses an AWS authentication token

7. Create an IAM role that allows Amazon RDS access.R-iam-rds-role with AmazonRDSReadOnlyAccess policy

8. Create an IAM policy P-iam-rds-policy that maps the DB user to the IAM role

9. Attach the IAM role to the EC2 instance

10. Download the SSL root certificate file or certificate bundle file
download the root certificate that works for all Regions:

11. Generate an AWS authentication token to identify the IAM role

12. Connect to the RDS MySQL database using IAM role credentials and the authentication token and SSL certificates.

13. Status of the SSL connection.

Pre-requisites:

  • AWS user account with admin access, not a root account.

Resources Used:

Steps for implementation to this project:

1. Create EC2 Security Group - SSH-launch / launch-wizard-1

Image description

  • inbound rules

Image description

  • outbound rules

Image description

2. Create Security Group for RDS - RDS-SG

Image description

  • attach EC2 Security group SSH-launch / launch-wizard-1
  • inbound rules

Image description

  • outbound rules

Image description

3. Create RDS MySQL database - database-1

Create RDS MySQL database taking the below mentioned parameters:

Image description

Image description

Image description

Image description

Image description

  • use RDS-SG

Image description

  • uncheck under Database authentication / Password and IAM database authentication Image description

Image description

  • take defaults
  • Create database
  • Wait for 4-5 minutes to complete

  • Take note of the RDS endpoint

  • database-1.cgizjtuyxkda.us-east-1.rds.amazonaws.com

Image description

4. Create EC2 instance - my-EC2

Create an EC2 instance taking the below mentioned parameters:

Image description

Image description

Image description

Image description

  • take defaults
  • Launch instance

  • Take note of Public IPv4 DNS of your EC2 instance

  • ec2-54-145-145-130.compute-1.amazonaws.com

Image description

5. Enable IAM Authentication on RDS MYSQL database

  • IAM Authentication - Not enabled

  • Modify / Under Database authentication/ check Password and IAM database authentication

Image description

  • Continue / check Apply immediately

Image description

  • Modify DB instance

  • IAM Authentication - Enabled

Image description

Top comments (0)