AWS RDS - IAM authentication implications?

Question

I am setting up a AWS RDS cluster and I am researching how to connect to the cluster with credentials. The options seems to be either by username/password like usual or by using IAM and using a 15minute token.

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html

The IAM instance role supplied to EC2 can also specify that it is allowed to connect to the cluster so this seems pretty nice, I guess in that case no tokens are needed.

Is anyone using IAM in this case, or maybe usual user/pw is simpler? The documentation states that you should contrain the connections to 20 per second or lower when using IAM. It's difficult for me to assess wether this is low or not. Anyone know the impact IAM authentication have on AWS RDS in performance?

Answer 1

Prepare EC2 Instance

Install the following packages and commands

yum install curl mysql -y
service mysqld start
chkconfig mysqld on

Setup Database to use IAM

# Connect to DB
RDS_HOST="db-with-iam-support.ct5b4uz1gops.eu-central-1.rds.amazonaws.com"
REGION="eu-central-1"
# mysql -h {database or cluster endpoint} -P {port number database is listening on} -u {master db username} -p
mysql -h ${RDS_HOST} -P 3306 -u dbuser -p

Run this command to create a database user account that will use an AWS authentication token instead of a password:

CREATE USER 'db_iam_user' IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';

Optionally, run this command to require the user to connect to the database using SSL: Learn more here

GRANT USAGE ON *.* TO 'db_iam_user'@'%'REQUIRE SSL;

Run the “exit” command to close MySQL

IAM Inline Policy

Inline Policy to allow the db access to user, Change the db arn accordingly

{
    "Version": "2012-10-17",
    "Statement": [
       {
          "Effect": "Allow",
          "Action": [
              "rds-db:connect"
          ],
          "Resource": [
              "arn:aws:rds-db:eu-central-1:111111111111:dbuser:db-RWXD2T7YIWZU4VI2FBHSM2GE24/db_iam_user"
          ]
       }
    ]
}

Download SSL Certificates Download the AWS RDS Certificate pem file,

mkdir -p /var/mysql-certs/
cd /var/mysql-certs/
curl -O https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem

Generate an AWS authentication token

The authentication token consists of several hundred characters. It can be unwieldy on the command line. One way to work around this is to save the token to an environment variable, and then use that variable when you connect.

TOKEN="$(aws rds generate-db-auth-token --hostname ${RDS_HOST} --port 3306 --region ${REGION} --username db_iam_user)"

Connect to Database

mysql --host="${RDS_HOST}" \
      --port=3306 \
      --user=db_iam_user \
      --ssl-ca=/var/mysql-certs/rds-combined-ca-bundle.pem \
      --ssl-verify-server-cert \
      --enable-cleartext-plugin \
      --password="$TOKEN

Reference : https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html

https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/