Reputation: 42490
Do I need to reconnect every 15 minutes with RDS IAM authentication
I am using RDS postgresql with IAM authentication. In my application, it generates the token at runtime before it connects to RDS cluster. Based on AWS document,
An authentication token is a string of characters that you use instead of a password. After you generate an authentication token, it's valid for 15 minutes before it expires. If you try to connect using an expired token, the connection request is denied.,
the token is only valid for 15 minutes. My question is that do I need to reconnect every 15 minutes? If the connection is already set up, does it require token for each query/insert/update etc.? If it doesn't require the token, that means I need to keep my connection always open. Does RDS support that connection mode?
Upvotes: 17
Views: 10336
Answers (2)
Reputation: 41
If your connection to the DB is interrupted (for any number of reasons) and you need to re-connect and it is greater than 15 minutes since you created the token you will need to create a new token. Otherwise if you maintain a connection to the DB your access will not be interrupted after successfully authenticating.
From AWS "The token is only used for authentication and doesn't affect the session after it is established."
There is no way to increase the Token lifespan for greater than 15 minutes. This Github issue shows where others have encountered the same issue, when using IAM for RDS via the short lived Tokens.
AWS Docs for connecting to RDS via IAM role/user.
Recommendations from AWS Docs suggest to "use IAM database authentication as a mechanism for temporary, personal access to databases."
Upvotes: 2
Reputation: 238199
My question is that do I need to reconnect every 15 minutes?
No you don't. The token is required to establish connection, and does not determine how long the existing connection can last for. The default value for connection to be alive without activity is 28800s (8 hours) as explained here.
This means that if you terminate your connection, or mysql terminates it due to not being actively used, then you need to get a new token to re-connect if the existing one already expired.
Upvotes: 21
Related Questions
- AWS RDS for PostgreSQL cannot be connected after several hours
- Connecting to RDS Postgres from remote machine
- AWS RDS - IAM authentication implications?
- Will enabling RDS IAM auth disable the password auth automatically?
- How to do RDS IAM Authentication with Django?
- Connect to Amazon RDS Postgresql with IAM Role
- Connecting to Database (Postgres AWS RDS)
- Rails Postgres reconnection on failover for RDS
- How To Manage AWS RDS Database Connections?
- AWS RDS Connection Best Practice