Connect to Amazon RDS Postgresql with IAM Role

2
votes

I try to give my EC2 instance access to my AWS RDS Postgresql database via IAM.

First, I've created a policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:connect"
            ],
            "Resource": [
                "arn:aws:rds:eu-west-1:824224273455:db:instance-name/db-name"
            ]
        }
    ]
}

After that I attached this policy to a role, which I attached to this specific EC2-instance. Everything seems to be fine till now.

When ssh to that specific EC2 instance and try to connect to the database, psql still prompts for a password.

Anyone knows how to accomplish it that I can connect without needing to use a password?

2
postgresqlamazon-web-servicesamazon-ec2amazon-rdsamazon-iam

2 Answers

2
votes

RDS PostgreSQL(vanilla & Aurora) supports IAM auth now.

Supported versions are:

Amazon RDS for PostgreSQL (supported from 2018/09/27)

  • 9.5.13 or higher
  • 9.6.9 or higher
  • 10.4 or higher

Amazon Aurora PostgreSQL (supported from 2018/11/08)

  • 9.6.9 or higher

Instructions are just like MySQL's:

  1. create DB instance with IAM auth enabled
  2. create IAM auth user with rds_iam ROLE
  3. add new policy for IAM access
  4. request temporary credentials for IAM auth(details https://gist.github.com/quiver/509e1a6e6b54a0148527553502e9f55d)
1
votes

This is not possible.

AWS Identity and Access Management (IAM) is used to grant permissions for the RDS service (eg creating, backing up and deleting clusters). However, it cannot be used to grant login access to an Amazon RDS PostgreSQL database. Instead, use normal Users defined within PostgreSQL.

Such access is only available for MySQL and Aurora.