Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

[IAM/RDS] rds-db:connect authentication to Postgresql with ${aws:username} in the IAM policy

1

Hi, We want to setup individual users to connect to our RDS database (postgresql) and to use IAM for the authentication with the temporary credentials. Instead of having a single Postgresql role/user for all users to use, we want individual role/user in the database. I was expecting this IAM policy to work with the variable ${aws:username} as the DB user but it does not create a valid password token:

{
    "Statement": [
        {
            "Action": "rds-db:connect",
            "Effect": "Allow",
            "Resource": "arn:aws:rds-db:us-east-1:1234567890:dbuser:cluster-ABCVDEFGHIJKLMNOPQRSTUVWXYZ/${aws:username}"
        }
    ],
    "Version": "2012-10-17"
}

It seems the variable ${aws:username} is not interpreted / extrapolated by the RDS connection service. Is it a limitation, or is there something not correctly setup as it should work with the username?

Topics
AnalyticsMigration & ModernizationDatabaseSecurity, Identity, & Compliance
Tags
Aurora PostgreSQLAmazon Relational Database ServiceAWS Identity and Access ManagementPostgreSQL
Language
English
asked a year ago1.2K views
2 Answers
1

The approach you're trying to use with ${aws:username} in the IAM policy for RDS IAM authentication is not supported as you've described. The RDS IAM authentication system does not interpret or extrapolate IAM policy variables like ${aws:username} when generating the authentication token.

Instead, you need to create individual IAM policies for each user or use a more specific approach. Here's how you can set up individual users to connect to your RDS PostgreSQL database using IAM authentication:

  1. Create individual database users in your PostgreSQL database for each IAM user. You can do this by connecting to the database as a master user and executing:

CREATE USER iam_user_name; GRANT rds_iam TO iam_user_name;

Replace iam_user_name with the actual IAM username.

  1. Create an IAM policy for each user with their specific database username:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds-db:connect", "Resource": "arn:aws:rds-db:us-east-1:1234567890:dbuser:cluster-ABCVDEFGHIJKLMNOPQRSTUVWXYZ/iam_user_name" } ] }

Again, replace iam_user_name with the actual IAM username.

  1. Attach this policy to the corresponding IAM user or role.

This approach ensures that each IAM user can only connect as their specific database user. While it requires more setup, it provides the individual access you're looking for.

If you need a more dynamic solution, you might need to consider using a custom authentication system or a proxy that can interpret the IAM username and map it to the appropriate database user.
Sources
Creating and using an IAM policy for IAM database access - Amazon Relational Database Service
Creating a database account using IAM authentication - Amazon Relational Database Service

answered a year ago
0

If you're using IAM Identity Center or another SAML IdP, try ${saml:sub}. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html#CreatingSAML-userid for more info.

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content