Authenticate to Your AWS MySQL RDS Instance via IAM
On Amazon Web Services with RDS for MySQL or Aurora with MySQL compatibility, you can authenticate to your Database instance or cluster using IAM for database authentication. The benefit of using this authentication method is that you don’t need to use a password when you connect to your database, but you use your authentication token instead
Create the database account on the MySQL RDS instance as described from their docs. IAM handles the authentication via AWSAuthenticationPlugin, therefore we do not need to set passwords on the database.
Connect to the database:
1
$ mysql -u dbadmin -h rbtest.abcdefgh.eu-west-1.rds.amazonaws.com -p
While you are on the database, create 2 databases (db1 and db2) with some tables, which we will use for our user to have read only access to, and create one database (db3) which the user will not have access to:
IAM Permissions to allow our user to authenticate to our RDS.
First to create the user and configure awscli tools. My default profile has administrative access, so we will create our db user in its own profile and configure our awscli tools with its new access key and secret key:
12345
$ aws configure --profile dbuser
AWS Access Key ID [None]: xxxxxxxxxxxxx
AWS Secret Access Key [None]: xxxxxxxxxxxxxxxxxx
Default region name [None]: eu-west-1
Default output format [None]: json
Now we need to create a IAM policy to allow our user to authenticate to our RDS Instance via IAM, which we will associate with our Users account.
We need the AWS Account ID, the Database Identifier Resource ID, and the User Account that we created on MySQL.
The bash script will get the authentication token which will be used as the password. Note that the authentication token will expire after 15 minutes after creation. The docs
Now that our policies are in place, credentials from the credential provider has been set and our bash script is setup, lets connect to our database:
1234567891011121314151617181920212223242526
./conn-mysql.sh
mysql> show databases;+--------------------+
| Database |+--------------------+
| information_schema || db1 || db2 |+--------------------+
3 rows in set(0.16 sec)mysql> select * from db2.foo;+--------------+
| location |+--------------+
| south africa || new zealand || australia |+--------------+
mysql> select * from db3.foo;ERROR 1044(42000): Access denied for user 'mydbaccount'@'*' to database 'db3'mysql> create database test123;ERROR 1044(42000): Access denied for user 'mydbaccount'@'%' to database 'test123'
Changing the IAM Policy to revoke access:
123
./conn-mysql.sh
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045(28000): Access denied for user 'mydbaccount'@'10.0.0.10'(using password: YES)
Creating a MySQL Client Wrapper Script:
Using bash we can create a wrapper script so we can connect to our database like the following: