You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication
using IAM users and roles. IAM database authentication works with MariaDB, MySQL, and PostgreSQL. Also works with Aurora MySQL, Aurora PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB cluster. Instead, you use an authentication token for greater security. Also, the network traffic to and from the database is encrypted using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
An authentication token
is a unique string of characters that Amazon RDS generates on request. Each token has a lifetime of 15 minutes. The token is only used for authentication and doesn't affect the session after it is established.
Advantages:
1. Easy to manage to IAM roles, instead of managing access individually on each cluster
2. Applications on EC2 can leverage instance profile
3. Network traffic is encrypted
4. Easy to enable without downtime
Please visit my GitHub Repository for RDS articles on various topics being updated on constant basis.
Letโs get started!
I am going to divide this article into 2 parts
- 1st part - from Objectives 1. to 5.
- 2nd part - from Objectives 6. to 13. Connecting to RDS MySQL DB instance without a password, using IAM authentication - 2
Objectives:
1. Create EC2 Security Group - SSH-launch
/ launch-wizard-1
2. Create Security Group for RDS - RDS-SG
3. Create RDS MySQL database - database-1
4. Create EC2 instance - my-EC2
5. Enable IAM Authentication on RDS MYSQL database
6. Create a DB user rev
account that uses an AWS authentication token
7. Create an IAM role that allows Amazon RDS access.R-iam-rds-role
with AmazonRDSReadOnlyAccess policy
8. Create an IAM policy P-iam-rds-policy
that maps the DB user to the IAM role
9. Attach the IAM role to the EC2 instance
10. Download the SSL root certificate file or certificate bundle file
download the root certificate that works for all Regions:
11. Generate an AWS authentication token to identify the IAM role
12. Connect to the RDS MySQL database using IAM role credentials and the authentication token and SSL certificates.
13. Status of the SSL connection.
Pre-requisites:
- AWS user account with admin access, not a root account.
Resources Used:
Steps for implementation to this project:
1. Create EC2 Security Group - SSH-launch
/ launch-wizard-1
- inbound rules
- outbound rules
2. Create Security Group for RDS - RDS-SG
- attach EC2 Security group
SSH-launch
/launch-wizard-1
- inbound rules
- outbound rules
3. Create RDS MySQL database - database-1
Create RDS MySQL database taking the below mentioned parameters:
- use
RDS-SG
- uncheck under Database authentication / Password and IAM database authentication
- take defaults
- Create database
Wait for 4-5 minutes to complete
Take note of the RDS endpoint
database-1.cgizjtuyxkda.us-east-1.rds.amazonaws.com
4. Create EC2 instance - my-EC2
Create an EC2 instance taking the below mentioned parameters:
- take defaults
Launch instance
Take note of Public IPv4 DNS of your EC2 instance
ec2-54-145-145-130.compute-1.amazonaws.com
5. Enable IAM Authentication on RDS MYSQL database
IAM Authentication - Not enabled
Modify / Under Database authentication/ check Password and IAM database authentication
- Continue / check Apply immediately
Modify DB instance
IAM Authentication - Enabled
Top comments (0)