Difference between AWS IAM and secrets manager

Question

On AWS an application can access a database by attaching an IAM role that allows access. Or an application can access the database by obtaining passwords from the secret manager. In what use cases would one use IAM or a secret manager to connect their DB and Application?

Answer 1

Secrets Manager is just storing your database password. You would be reading the password from Secrets Manager, and then connecting to the database with username/password. The fact that you are storing the password in Secrets Manager is kind of irrelevant. Your question should actually be stated something like this:

What are the advantages of using AWS IAM authentication for RDS databases, instead of the default username/password authentication.

In answer to that question, the primary benefit is that you can use IAM roles attached to EC2/ECS/EKS/Lambda to provide database authentication credentials, instead of having to separately configure those resources with a database password somehow.

You also don't have to worry about rotating the database passwords periodically if you are using IAM authentication.

Answer 2

As far as I know, IAM are used for inter-cloud application access. Unless you want a user role created with access to DB and then assuming the user role to connect to DB. This is the case if your application runs in cloud. Also this is the case mostly for cloud native DB's like Dynamodb. For RDS Databases we usually use passwords.