Will enabling RDS IAM auth disable the password auth automatically?

Question

I am following this tutorial to enable RDS postgres IAM auth for the master user: https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/

The master user currently uses password auth. One thing I am not sure about is: if I enable the IAM auth for this master user, can I still use password to talk to RDS? Can we have these two types of auth working at the same time?

Answer 1

For PostgreSQL, if the IAM role (rds_iam) is added to the master user, IAM authentication takes precedence over Password authentication so the master user has to log in as an IAM user.

So you cannot login with your actual DB password for the users which you enabled rds-iam role. All other DB user accounts(where rds-iam role is not enabled) can login with actual DB password.

Refer AWS Documentation - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html#UsingWithRDS.IAMDBAuth.Limitations

Answer 2

I can confirm you can use both, steps:

1. Enabled IAM Authentication
2. Login with your mysql -h rdsendpoint -u user -p

--- Take it a step further ---

3. Login with a different user mysql -h rdsendpoint -u user2 -p

--- Another step further ---

4. Reset the client machine AWS Credentials $ aws configure and
5. Remove any IAM roles on an EC2 (if you're testing from one)
6. Login with your mysql -h rdsendpoint -u user -p

Confirmed all work

Answer 3

Yes you can still use both at once, it is just disabled by default.

You don't need to store user credentials in the database, because authentication is managed externally using IAM. You can also still use standard database authentication.

Quote taken from https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html