nSights Talks

Introduction to IAM Database Authentication

Tutorial Highlights & Transcript

00:00 - Beginning of video
Today, I’m going to talk about IAM Database Authentication.
00:14 - What is IAM database authentication?
What is IAM Database Authentication? Well, it’s a pretty basic concept. It is basically what it sounds like. It’s a way to authenticate to your database instance using AWS identity and access management, or IAM, it’s important to know that this feature is only available for MySQL and PostgreSQL. Thus, for Aurora MySQL and Aurora PostgreSQL too.
00:38 - How IAM database authentication works
Okay, I made this sort of sequence diagram to make better understanding on how it works. So we have a user that assumes a role with the correct permissions to access, IAM Database Authentication, then I am granted the permissions. Then the user requests for the token. I’m going to stop right here because I want you to know something about this token. This token, you will use it as a password for your database user. This way, you will not have to store any passwords on the database. And well, every time you try to access your database user, you will need the token. It’s important to know that this login only leaves for 15 minutes. And yeah. So after that, RDS returns the access token. And finally, the user can connect and when it’s needed to finish the connection. Now let’s get our hands dirty. And let’s move to the demo.
01:53 - Steps to performing IAM database authentication
Before starting, the only thing we need is an RDS instance, which I have already created.
02:02 - Live demo tutorial of how to do IAM database authentication
And with that known, let’s go with step number one, which is to enable IAM Database Authentication on RDS instance. So when you create an RDS instance, or cluster, normally this option is– well, you’ll see it now. Just a moment to load. Let’s start. When you create an RDS instance or cluster, this option password authentication is selected as default. So we have to create it with password IAM Database Authentication or selected and forward. Now we do this change and here we select apply immediately because it doesn’t provoke any downtime to the database. So it’s okay to apply it. Okay, and now we’re ready to go. I’ll explain why it’s needed for this demo. But first, I’m going to create the resources with the TerraForm deployment that I have ready. Don’t worry, it won’t take too long. And that’s it. I’m reading out the steps, we need to create an IAM policy and an IAM role. Right we go to our policies.

Okay, and this is the policy that I that I just created withTerraForm. And this is the permissions, we have the statements, and the action is RDS DB. RDS DB, it’s only for this feature. If you want more features on RDS, you’ll need to use only RDS without the dash DB. The effect is allowed, of course, and then we have to specify the resource right? On the resource, we have to specify which database users will be able to connect through IAM Database Authentication. In this case, my database user is called Gueban doe. This right here is the row’s resource ID of our RDS instance. I’m going to modify this because after doing changes manually and doing changes with TerraForm, I kind of booked the resource so I have to do this manually. And now we have to create a role. Now we have to attach this policy to our role. And as you can see, we need to attach these Amazon RDS read only access. Because in order to get the talking we need to describe our instances and connect to them. Now the trusted entities, the trusted relationships, I have started as trusted entities. Amazon EC2 instances just for the scope of this demo. Now I am going to attach this role to this instance. And here, okay, now that we have the role attached, we have to connect to the instance. And well, okay, we’re inside, and I’m going to run a few commands really quick, and I’m going to explain, and I’m going to explain it. Okay. So the first one, it’s an environment variable called RDS host. What is this is the RDS host or the endpoint of our RDS instance. And then we use an environment variable called token with this environment variable, we call it the token, and we store it on this variable right here. If we want to see the token address, there we have the token. Oh, I forgot to tell you, as you can see here, to request the token, we need to specify the hostname, the port, of course, the region, and then the username that we are going to use to access our database instance. But with that, in our hands, we can access our database instance. And well, there we go. To access, we need to specify again, the host, the port, this black enable your text plugin that it’s used to, to specify that we’re using the plug in AWS authentication plugin, and then the user Gueban Doe and password token. And yep, that was inside. By the way, if any of you are asking yourselves, can we apply this to an instance that is not running on RDS? Well, we do, we just have to download and install the AWS authentication plugin. And after that, we can do the configurations and we’ll be ready to do it. I wanted to show you something else. I think it’s pretty interesting. As you can see, in my steps right here, I didn’t do step three, that was create database users. That was because I have already created them on my TerraForm deployment. Here we define a provider and to the provider, we need to specify an endpoint, a username and a password. It’s good to know that this username and password are from a user with administrative permissions. And here we have the resource that creates our users, MySQL user and I am passing on an array like this. In this case, it’s only an array with one element called Gueban doe. But there we have it.

Jasmeet Singh

Miguel Alvarado

DevOps Engineer


Miguel is a DevOps Engineer at nClouds and an AWS Certified Cloud Practitioner.