IAM Policy for RDS IAM Database Authentication
Create an IAM policy allowing IAM authentication to an RDS database instance. Uses rds-db:connect for passwordless database connections.
Detailed Explanation
RDS IAM Database Authentication Policy
Instead of managing database passwords, you can use IAM authentication to connect to RDS instances. The application generates a temporary authentication token using its IAM credentials, which the database validates.
Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRDSIAMAuth",
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": "arn:aws:rds-db:us-east-1:123456789012:dbuser:my-db-resource-id/my_db_user"
}
]
}
Resource ARN Format
The resource ARN for rds-db:connect follows a special format:
arn:aws:rds-db:{region}:{account}:dbuser:{db-resource-id}/{db-user-name}
- db-resource-id: Found in the RDS console under "Configuration" — it looks like
db-ABCDEFGHIJKLMNOP. - db-user-name: The MySQL or PostgreSQL username configured for IAM authentication.
Prerequisites on the Database Side
IAM authentication must be enabled on the RDS instance, and the database user must be configured to use the AWSAuthenticationPlugin (MySQL) or rds_iam role (PostgreSQL).
Token Generation
The application calls rds.generate_db_auth_token() (in the AWS SDK) to get a temporary token valid for 15 minutes. This token replaces the password in the database connection string.
Benefits
- No stored passwords — tokens are generated on demand
- Credentials rotate automatically (tokens expire)
- Centralized access control through IAM
- CloudTrail logging of database connection attempts
Use Case
Applications and Lambda functions connecting to RDS MySQL or PostgreSQL instances using IAM-based authentication instead of stored database passwords. Common in environments with strict credential management policies.