Using Kerberos authentication with Aurora PostgreSQL - Amazon Aurora
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Kerberos authentication with Aurora PostgreSQL

You can use Kerberos to authenticate users when they connect to your DB cluster running PostgreSQL. To do so, configure your DB cluster to use Amazon Directory Service for Microsoft Active Directory for Kerberos authentication. Amazon Directory Service for Microsoft Active Directory is also called Amazon Managed Microsoft AD. It's a feature available with Amazon Directory Service. To learn more, see What is Amazon Directory Service? in the Amazon Directory Service Administration Guide.

To start, create an Amazon Managed Microsoft AD directory to store user credentials. Then, provide to your PostgreSQL DB cluster the Active Directory's domain and other information. When users authenticate with the PostgreSQL DB cluster, authentication requests are forwarded to the Amazon Managed Microsoft AD directory.

Keeping all of your credentials in the same directory can save you time and effort. You have a centralized location for storing and managing credentials for multiple DB clusters. Using a directory can also improve your overall security profile.

In addition, you can access credentials from your own on-premises Microsoft Active Directory. To do so, create a trusting domain relationship so that the Amazon Managed Microsoft AD directory trusts your on-premises Microsoft Active Directory. In this way, your users can access your PostgreSQL clusters with the same Windows single sign-on (SSO) experience as when they access workloads in your on-premises network.

A database can use Kerberos, Amazon Identity and Access Management (IAM), or both Kerberos and IAM authentication. However, because Kerberos and IAM authentication provide different authentication methods, a specific database user can log in to a database using only one or the other authentication method but not both. For more information about IAM authentication, see IAM database authentication.

Region and version availability

Feature availability and support varies across specific versions of each database engine, and across Amazon Web Services Regions. For more information on version and Region availability of Aurora PostgreSQL with Kerberos authentication, see Kerberos authentication with Aurora PostgreSQL.

Overview of Kerberos authentication for PostgreSQL DB clusters

To set up Kerberos authentication for a PostgreSQL DB cluster, take the following steps, described in more detail later:

  1. Use Amazon Managed Microsoft AD to create an Amazon Managed Microsoft AD directory. You can use the Amazon Web Services Management Console, the Amazon CLI, or the Amazon Directory Service API to create the directory. Make sure to open the relevant outbound ports on the directory security group so that the directory can communicate with the cluster.

  2. Create a role that provides Amazon Aurora access to make calls to your Amazon Managed Microsoft AD directory. To do so, create an Amazon Identity and Access Management (IAM) role that uses the managed IAM policy AmazonRDSDirectoryServiceAccess.

    For the IAM role to allow access, the Amazon Security Token Service (Amazon STS) endpoint must be activated in the correct Amazon Region for your Amazon account. Amazon STS endpoints are active by default in all Amazon Web Services Regions, and you can use them without any further actions. For more information, see Activating and deactivating Amazon STS in an Amazon Region in the IAM User Guide.

  3. Create and configure users in the Amazon Managed Microsoft AD directory using the Microsoft Active Directory tools. For more information about creating users in your Active Directory, see Manage users and groups in Amazon Managed Microsoft AD in the Amazon Directory Service Administration Guide.

  4. If you plan to locate the directory and the DB instance in different Amazon accounts or virtual private clouds (VPCs), configure VPC peering. For more information, see What is VPC peering? in the Amazon VPC Peering Guide.

  5. Create or modify a PostgreSQL DB cluster either from the console, CLI, or RDS API using one of the following methods:

    You can locate the cluster in the same Amazon Virtual Private Cloud (VPC) as the directory or in a different Amazon account or VPC. When you create or modify the PostgreSQL DB cluster, do the following:

    • Provide the domain identifier (d-* identifier) that was generated when you created your directory.

    • Provide the name of the IAM role that you created.

    • Ensure that the DB instance security group can receive inbound traffic from the directory security group.

  6. Use the RDS master user credentials to connect to the PostgreSQL DB cluster. Create the user in PostgreSQL to be identified externally. Externally identified users can log in to the PostgreSQL DB cluster using Kerberos authentication.