AWS Identity and Access Management (IAM) grants users access control across all Amazon Web Services. IAM supports granular permissions, giving you the ability to grant different permissions to different users. For more information on IAM and its use cases, please refer to the IAM documentation.
Warning
This plugin requires the AWS SDK for Python - Boto3. Boto3 is a runtime dependency and must be resolved. It can be installed via pip install boto3.
Warning
To use this plugin, you must provide valid AWS credentials. The AWS SDK relies on the AWS SDK credential provider chain to authenticate with AWS services. If you are using temporary credentials (such as those obtained through AWS STS, IAM roles, or SSO), be aware that these credentials have an expiration time. AWS SDK exceptions will occur and the plugin will not work properly if your credentials expire without being refreshed or replaced. To avoid interruptions:
- Ensure your credential provider supports automatic refresh (most AWS SDK credential providers do this automatically)
- Monitor credential expiration times in production environments
- Configure appropriate session durations for temporary credentials
- Implement proper error handling for credential-related failures
For more information on configuring AWS credentials, see our AWS credentials documentation.
To enable the IAM Authentication Connection Plugin, add the plugin code iam to the plugins parameter.
The AWS Advanced Python Wrapper supports Amazon AWS Identity and Access Management (IAM) authentication. When using AWS IAM database authentication, the host URL must be a valid Amazon endpoint, and not a custom domain or an IP address.
i.e. db-identifier.cluster-XYZ.us-east-2.rds.amazonaws.com
IAM database authentication use is limited to certain database engines. For more information on limitations and recommendations, please review the IAM documentation.
- Enable AWS IAM database authentication on an existing database or create a new database with AWS IAM database authentication on the AWS RDS Console:
- If needed, review the documentation about creating a new database.
- If needed, review the documentation about modifying an existing database.
- Set up an AWS IAM policy for AWS IAM database authentication.
- Create a database account using AWS IAM database authentication. This will be the user specified in the connection string or connection properties.
- Connect to your database of choice using primary logins.
- For a MySQL database, use the following command to create a new user:
CREATE USER example_user_name IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; - For a PostgreSQL database, use the following command to create a new user:
CREATE USER db_userx; GRANT rds_iam TO db_userx;
- For a MySQL database, use the following command to create a new user:
- Connect to your database of choice using primary logins.
- Add the plugin code
iamto thepluginsparameter value.
| Parameter | Value | Required | Description | Example Value |
|---|---|---|---|---|
iam_default_port |
String | No | This property will override the default port that is used to generate the IAM token. The default port is determined based on the underlying driver protocol. For now, there is support for PostgreSQL and MySQL. Target drivers with different protocols will require users to provide a default port. | 1234 |
iam_host |
String | No | This property will override the default hostname that is used to generate the IAM token. The default hostname is derived from the connection string. This parameter is required when users are connecting with custom endpoints. | database.cluster-hash.us-east-1.rds.amazonaws.com |
iam_region |
String | No | This property will override the default region that is used to generate the IAM token. The default region is parsed from the connection string. | us-east-2 |
iam_expiration |
Integer | No | This property determines how long an IAM token is kept in the wrapper cache before a new one is generated. The default expiration time is set to 14 minutes and 30 seconds. Note that IAM database authentication tokens have a lifetime of 15 minutes. | 600 |