Use AWS Role to authorize Lambda querying AWS datastore

Question

I'm trying to write a Lambda function which will depend upon data stored in some AWS datastore (DynamoDB/Redshift/RDS). I had hoped that authorization for this could be handled by IAM - i.e. if I ran the Lambda function under a Role which was authorized to read the datastore, I would not need to provide credential details for access.

However, this code (which is part of an example on "Configuring a Lambda Function to Access Resources in an Amazon VPC") still requires username and password.

Is it possible to use an IAM role to authorize Lambda to query an AWS datastore?

Answer 1

It entirely depends on which datastore you decide to use. DynamoDB access is controlled by IAM since it is a proprietary Amazon service. RDS databases and ElastiCache all use the authorization scheme of the database engine you chose when you create an RDS server or ElastiCache cluster, which I believe in all cases is some form of username/password. Also Aurora uses a login and password just like MySQL, since it is MySQL compatible, and Redshift uses login/password just like PostgreSQL since it is PostgreSQL compatible.

I highly recommend you chose a data store based on your actual data storage requirements. Pick RDS if you need a relational OLTP database, Redshift if you need an OLAP database, ElastiCache if you need a Redis or Memcached cache, a third-party or self-managed NoSQL database like mLab/MongoDB, or use DynamoDB if a NoSQL database will work and DynamoDB fits your needs.