Creating a database account using IAM authentication - Amazon Aurora
Using IAM authentication with Aurora MySQLUsing IAM authentication with Aurora PostgreSQL

Creating a database account using IAM authentication

With IAM database authentication, you don't need to assign database passwords to the user accounts you create. If you remove a user that is mapped to a database account, you should also remove the database account with the DROP USER statement.

Note

The user name used for IAM authentication must match the case of the user name in the database.

Using IAM authentication with Aurora MySQL

With Aurora MySQL, authentication is handled by AWSAuthenticationPlugin—an AWS-provided plugin that works seamlessly with IAM to authenticate your users. Connect to the DB cluster as the master user or a different user who can create users and grant privileges. After connecting, issue the CREATE USER statement, as shown in the following example.

CREATE USER 'jane_doe' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

The IDENTIFIED WITH clause allows Aurora MySQL to use the AWSAuthenticationPlugin to authenticate the database account (jane_doe). The AS 'RDS' clause refers to the authentication method. Make sure the specified database user name is the same as a resource in the IAM policy for IAM database access. For more information, see Creating and using an IAM policy for IAM database access.

Note

If you see the following message, it means that the AWS-provided plugin is not available for the current DB cluster.

ERROR 1524 (HY000): Plugin 'AWSAuthenticationPlugin' is not loaded

To troubleshoot this error, verify that you are using a supported configuration and that you have enabled IAM database authentication on your DB cluster. For more information, see Region and version availability and Enabling and disabling IAM database authentication.

After you create an account using AWSAuthenticationPlugin, you manage it in the same way as other database accounts. For example, you can modify account privileges with GRANT and REVOKE statements, or modify various account attributes with the ALTER USER statement.

Database network traffic is encrypted using SSL/TLS when using IAM. To allow SSL connections, modify the user account with the following command.

ALTER USER 'jane_doe'@'%' REQUIRE SSL;

Using IAM authentication with Aurora PostgreSQL

To use IAM authentication with Aurora PostgreSQL, connect to the DB cluster as the master user or a different user who can create users and grant privileges. After connecting, create database users and then grant them the rds_iam role as shown in the following example.

CREATE USER db_userx; 
GRANT rds_iam TO db_userx;

Make sure the specified database user name is the same as a resource in the IAM policy for IAM database access. For more information, see Creating and using an IAM policy for IAM database access. You must grant the rds_iam role to use IAM authentication. You can use nested memberships or indirect grants of the role as well.

Note that a PostgreSQL database user can use either IAM or Kerberos authentication but not both, so this user can't also have the rds_ad role. This also applies to nested memberships. For more information, see Step 7: Create PostgreSQL users for your Kerberos principals .