Connecting to your DB instance using IAM authentication

With IAM database authentication, you use an authentication token when you connect to your DB instance. An authentication token is a string of characters that you use instead of a password. After you generate an authentication token, it's valid for 15 minutes before it expires. If you try to connect using an expired token, the connection request is denied.

Every authentication token must be accompanied by a valid signature, using Amazon signature version 4. (For more information, see Signature Version 4 signing process in the Amazon Web Services General Reference.) The Amazon CLI and an Amazon SDK, such as the Amazon SDK for Java or Amazon SDK for Python (Boto3), can automatically sign each token you create.

You can use an authentication token when you connect to Amazon RDS from another Amazon service, such as Amazon Lambda. By using a token, you can avoid placing a password in your code. Alternatively, you can use an Amazon SDK to programmatically create and programmatically sign an authentication token.

After you have a signed IAM authentication token, you can connect to an Amazon RDS DB instance. Following, you can find out how to do this using either a command line tool or an Amazon SDK, such as the Amazon SDK for Java or Amazon SDK for Python (Boto3).

For more information, see the following blog posts:

Prerequisites

The following are prerequisites for connecting to your DB instance using IAM authentication: