Cloud Databases

AWS IAM Database Authentication for RDS and Aurora

Authenticate to RDS and Aurora using IAM credentials instead of passwords. Eliminates long-lived passwords with 15-minute token-based access. Covers PostgreSQL and MySQL setup.

JusDB Team
April 11, 2025
5 min read
165 views
Security
RDS
AWS

AWS IAM database authentication lets you authenticate to RDS and Aurora using IAM credentials instead of passwords. This eliminates long-lived database passwords and centralizes access control.

How It Works

text 
1. App requests an auth token from AWS STS (15-minute TTL)
2. App connects to RDS using the token as the password
3. RDS validates the token against IAM
4. No passwords stored — access controlled via IAM policies

Enable IAM Authentication on RDS

bash 
aws rds modify-db-instance \
  --db-instance-identifier my-db \
  --enable-iam-database-authentication \
  --apply-immediately

Create IAM-Authenticated Database User

sql 
-- PostgreSQL
CREATE USER iam_app WITH LOGIN;
GRANT rds_iam TO iam_app;

-- MySQL
CREATE USER 'iam_app'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
GRANT SELECT, INSERT, UPDATE ON mydb.* TO 'iam_app'@'%';

IAM Policy

json 
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "rds-db:connect",
    "Resource": "arn:aws:rds-db:us-east-1:123456789:dbuser:db-XXXX/iam_app"
  }]
}

Generate Auth Token (Python)

python 
import boto3

client = boto3.client('rds', region_name='us-east-1')
token = client.generate_db_auth_token(
    DBHostname='my-db.cluster-xyz.us-east-1.rds.amazonaws.com',
    Port=5432,
    DBUsername='iam_app'
)

# Use token as password in psycopg2 / SQLAlchemy connection string
# Token expires in 15 minutes — regenerate before expiry

Connect via psql

bash 
export PGPASSWORD=$(aws rds generate-db-auth-token \
  --hostname my-db.cluster-xyz.us-east-1.rds.amazonaws.com \
  --port 5432 \
  --username iam_app \
  --region us-east-1)

psql "host=my-db... dbname=mydb user=iam_app sslmode=require"
Note: IAM auth requires SSL. Always connect with sslmode=require or verify-full.

Key Takeaways

  • IAM auth eliminates stored database passwords — tokens expire in 15 minutes
  • Grant the rds_iam role (PostgreSQL) or use AWSAuthenticationPlugin (MySQL)
  • Attach a least-privilege IAM policy scoped to specific DB users and instances
  • SSL is required — always connect with sslmode=require

JusDB Can Help

IAM database authentication is a best practice for AWS workloads. JusDB can help you migrate from password-based to IAM-based database access.

Share this article

JusDB Team

Official JusDB content team

Need Expert Help?

Need expert help? Our specialists can assist with these related services:

RDS PostgreSQL Consulting

Multi-AZ, Blue/Green deployments, RDS Proxy, parameter-group tuning, extension management

Learn more

Cloud Database Cost Optimization

RDS cost reduction strategies

Learn more

PostgreSQL Cloud Migration

AWS, Azure, GCP migrations

Learn more
Explore all our database services

Related Articles

Migrate On-Premises SQL Server to Amazon RDS: Native Backup/Restore vs AWS DMS

June 2, 2026

Azure SQL Managed Instance vs SQL Server on Azure VM vs Azure SQL Database

May 27, 2026

EC2 for Databases (2026): Graviton4, M7i, X2gd & Instance Selection Cheat Sheet

May 13, 2026