AWS RDS: How to Securely Access Without a Password (RDS IAM Authentication)

 Hello. This article introduces how to log in to AWS RDS without using a password.




What is Database Authentication?

To access a database, you must go through an authentication process. Authentication succeeds only when the account and password are entered correctly; if authentication fails, you cannot access the database.


Risks of Database Authentication

Because database authentication requires passwords, accidental password leaks expose the database to risk. Especially for databases containing personal information or systems classified as critical information infrastructure, password rotation and complexity must be legally audited according to internal management plans.


Methods to Minimize Database Password Leakage Risks

There are two methods to minimize database password leakage.

  • Periodically change database passwords
  • Issue temporary passwords for database access

RDS IAM Authentication

AWS provides a feature that issues temporary passwords when accessing RDS. More precisely, it issues temporary authentication tokens valid for 15 minutes. Since authentication is performed using the temporary authentication token, the database password is not required during the authentication process.




The client calls the generate-db-auth-token function in the AWS SDK to obtain a temporary authentication token. This token can be used instead of a password to access RDS, which verifies the token to determine whether to allow the request.




Structure of the Temporary Authentication Token

The temporary authentication token is signed using AWS Signature Version 4 and contains the following information:

  • Database hostname and port
  • Database username
  • Signature algorithm
  • Validity period (900 seconds = 15 minutes)
  • AWS credentials




Functional Limitations

Restrictions for RDS IAM authentication can be found in the official AWS documentation.


Key limitations include:

  • Cannot process more than 200 RDS IAM authentication requests per second. AWS documentation recommends using database connection pools.
  • There is no revoke function to invalidate temporary tokens.
  • With IAM Administrator permissions, you can issue IAM temporary authentication tokens for all database accounts.
  • SSL mode must be used. For operating systems or systems without the AWS CA certificate, the AWS CA certificate bundle must be prepared in advance.
  • If your database IDE does not support IAM authentication, you must manually obtain and enter a new temporary authentication token each time the session ends.
  • Applying RDS IAM authentication to an existing database account may cause errors in PostgreSQL. PostgreSQL prioritizes the RDS IAM authentication method higher, which can cause issues in logic that relies on the password method.


https://docs.aws.amazon.com/ko_kr/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html


Monitoring

RDS IAM authentication metrics are supported, enabling easy monitoring in CloudWatch.





Setup

To use RDS IAM authentication, a total of three configurations are required.

  • RDS Settings
  • IAM Settings
  • Database Settings

RDS Settings

Enable IAM database authentication in RDS.



In Terraform, simply change the iam_database_authentication_enabled property to true.

resource "aws_rds_cluster" "mysql" {
  cluster_identifier = "${var.project_name}"
  iam_database_authentication_enabled = true
  ...
}

IAM Configuration

In IAM, create an IAM role and configure an IAM policy. The IAM policy must grant the rds-db:connect permission. The permission targets are the RDS resource ID and the database account. That is, you must specify which database account the IAM role will authenticate with when it authenticates.




Database Settings

In the database, you must configure the database account to use IAM authentication.

PostgreSQL

CREATE USER db_userx; 
GRANT rds_iam TO db_userx;

MySQL

CREATE USER IF NOT EXISTS 'db_user'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
ALTER USER 'db_user'@'%' REQUIRE SSL;

RDS IAM Authentication Migration

Although not yet tested, applying RDS IAM authentication to a database account currently using password authentication may cause service disruption. This is because RDS IAM authentication has a higher priority in PostgreSQL.

https://docs.aws.amazon.com/ko_kr/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html


Therefore , the recommended approach for RDS IAM authentication migration is to create a new database account, apply RDS IAM authentication to it, and deploy the application to use this account. Using two accounts enables a zero-downtime migration and facilitates rollback .

Practical Exercise

The practice code is publicly available on my GitHub and consists of two main parts.


RDS IAM Authentication with AWS CLI

In the AWS CLI practice, you generate a temporary RDS authentication token using generate-db-auth-token and use this token when accessing RDS via mysql or psql.

TOKEN=$(aws rds generate-db-auth-token \\
  --hostname $MYSQL_HOST \\
  --port 3306 \\
  --region ap-northeast-2 \\
  --username iam_user)

mysql -h $MYSQL_HOST \\
  --port 3306 \\
  --ssl-mode=DISABLED \\
  --user=iam_user \\
  --password="$TOKEN" \\
  --enable-cleartext-plugin





RDS IAM Authentication in Spring Boot

Spring Boot uses aws-advanced-jdbc-wrapper. Set wrapperPlugins=iam in datasource.url. Change driver-class-name to software.amazon.jdbc.Driver. For detailed operation principles and code explanations, refer to the blog below.

jdbc:aws-wrapper:mysql://<hostname>:<port>/<database>?wrapperPlugins=iam&iamRegion=<region>&sslMode=require

spring:
  application:
    name: iam-auth

  datasource:
    url: jdbc:aws-wrapper:mysql://${RDS_HOSTNAME}:${RDS_PORT:3306}/${RDS_DATABASE:demo}?wrapperPlugins=iam&iamRegion=${AWS_REGION:ap-northeast-2}&sslMode=require
    username: ${RDS_USERNAME:iam_user}
    driver-class-name: software.amazon.jdbc.Driver
    hikari:
      maximum-pool-size: 10
      minimum-idle: 5
      max-lifetime: 840000

Reference Materials

Comments

Post a Comment

Popular posts from this blog

When I use AWS Auto Scaling Group? and What is it?

Image
Overview This article summarizes the key features of AWS Auto Scaling Groups (ASGs ). ASGs manage EC2 instances as a group and are an AWS resource for managing EC2 instances, such as auto scaling or automatically replacing unhealthy nodes. This content is translated by Notion AI. Original content is written by a Korean.      In this article, we'll cover the following topics When do I use ASG? What is the difference between Launch Template and Launch Configuration, and which one is recommended to use? What do Desired capacity, Min capacity, and Max capacity in ASG mean, and what do they do? What is the difference between the 3 policies in Dynamic Scaling (Target tracking, Step scaling, Simple scaling)? How do each of the four instance management policies (Launch before terminating, Terminate and launch, No policy, Custom behavior) work? What is ASG rebalancing, and what should I be aware of? What are the features of Target Tracking Scaling, and what are the differen...
Read more »