Using Kerberos authentication for Aurora MySQL - Amazon Aurora
Overview of Kerberos authentication for Aurora MySQLLimitations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Kerberos authentication for Aurora MySQL

You can use Kerberos authentication to authenticate users when they connect to your Aurora MySQL DB cluster. To do so, configure your DB cluster to use Amazon Directory Service for Microsoft Active Directory for Kerberos authentication. Amazon Directory Service for Microsoft Active Directory is also called Amazon Managed Microsoft AD. It's a feature available with Amazon Directory Service. To learn more, see What is Amazon Directory Service? in the Amazon Directory Service Administration Guide.

To start, create an Amazon Managed Microsoft AD directory to store user credentials. Then, provide the Active Directory's domain and other information to your Aurora MySQL DB cluster. When users authenticate with the Aurora MySQL DB cluster, authentication requests are forwarded to the Amazon Managed Microsoft AD directory.

Keeping all of your credentials in the same directory can save you time and effort. With this approach, you have a centralized location for storing and managing credentials for multiple DB clusters. Using a directory can also improve your overall security profile.

In addition, you can access credentials from your own on-premises Microsoft Active Directory. To do so, create a trusting domain relationship so that the Amazon Managed Microsoft AD directory trusts your on-premises Microsoft Active Directory. In this way, your users can access your Aurora MySQL DB clusters with the same Windows single sign-on (SSO) experience as when they access workloads in your on-premises network.

A database can use Kerberos, Amazon Identity and Access Management (IAM), or both Kerberos and IAM authentication. However, because Kerberos and IAM authentication provide different authentication methods, a specific user can log in to a database using only one or the other authentication method, but not both. For more information about IAM authentication, see IAM database authentication.

Contents

Overview of Kerberos authentication for Aurora MySQL DB clusters

To set up Kerberos authentication for an Aurora MySQL DB cluster, complete the following general steps. These steps are described in more detail later.

  1. Use Amazon Managed Microsoft AD to create an Amazon Managed Microsoft AD directory. You can use the Amazon Web Services Management Console, the Amazon CLI, or the Amazon Directory Service to create the directory. For detailed instructions, see Create your Amazon Managed Microsoft AD directory in the Amazon Directory Service Administration Guide.

  2. Create an Amazon Identity and Access Management (IAM) role that uses the managed IAM policy AmazonRDSDirectoryServiceAccess. The role allows Amazon Aurora to make calls to your directory.

    For the role to allow access, the Amazon Security Token Service (Amazon STS) endpoint must be activated in the Amazon Web Services Region for your Amazon account. Amazon STS endpoints are active by default in all Amazon Web Services Regions, and you can use them without any further action. For more information, see Activating and deactivating Amazon STS in an Amazon Web Services Region in the IAM User Guide.

  3. Create and configure users in the Amazon Managed Microsoft AD directory using the Microsoft Active Directory tools. For more information about creating users in your Active Directory, see Manage users and groups in Amazon managed Microsoft AD in the Amazon Directory Service Administration Guide.

  4. Create or modify an Aurora MySQL DB cluster. If you use either the CLI or RDS API in the create request, specify a domain identifier with the Domain parameter. Use the d-* identifier that was generated when you created your directory and the name of the IAM role that you created.

    If you modify an existing Aurora MySQL DB cluster to use Kerberos authentication, set the domain and IAM role parameters for the DB cluster. Locate the DB cluster in the same VPC as the domain directory.

  5. Use the Amazon RDS primary user credentials to connect to the Aurora MySQL DB cluster. Create the database user in Aurora MySQL by using the instructions in Step 6: Create Aurora MySQL users that use Kerberos authentication.

    Users that you create this way can log in to the Aurora MySQL DB cluster using Kerberos authentication. For more information, see Connecting to Aurora MySQL with Kerberos authentication.

To use Kerberos authentication with an on-premises or self-hosted Microsoft Active Directory, create a forest trust. A forest trust is a trust relationship between two groups of domains. The trust can be one-way or two-way. For more information about setting up forest trusts using Amazon Directory Service, see When to create a trust relationship in the Amazon Directory Service Administration Guide.

Limitations of Kerberos authentication for Aurora MySQL

The following limitations apply to Kerberos authentication for Aurora MySQL:

  • Kerberos authentication is supported for Aurora MySQL version 3.03 and higher.

    For information about Amazon Web Services Region support, see Kerberos authentication with Aurora MySQL.

  • To use Kerberos authentication with Aurora MySQL, your MySQL client or connector must use version 8.0.26 or higher on Unix platforms, 8.0.27 or higher on Windows. Otherwise, the client-side authentication_kerberos_client plugin isn't available and you can't authenticate.

  • Only Amazon Managed Microsoft AD is supported on Aurora MySQL. However, you can join Aurora MySQL DB clusters to shared Managed Microsoft AD domains owned by different accounts in the same Amazon Web Services Region.

    You can also use your own on-premises Active Directory. For more information, see Step 2: (Optional) Create a trust for an on-premises Active Directory

  • When using Kerberos to authenticate a user connecting to the Aurora MySQL cluster from MySQL clients or from drivers on the Windows operating system, by default the character case of the database username must match the case of the user in the Active Directory. For example, if the user in the Active Directory appears as Admin, the database username must be Admin.

    However, you can now use case-insensitive username comparison with the authentication_kerberos plugin. For more information, see Step 8: (Optional) Configure case-insensitive username comparison.

  • You must reboot the reader DB instances after turning on the feature to install the authentication_kerberos plugin.

  • Replicating to DB instances that don't support the authentication_kerberos plugin can lead to replication failure.

  • For Aurora global databases to use Kerberos authentication, you must configure it for every DB cluster in the global database.

  • The domain name must be less than 62 characters long.

  • Don't modify the DB cluster port after turning on Kerberos authentication. If you modify the port, then Kerberos authentication will no longer work.