Enabling and Disabling IAM Database Authentication - Amazon Relational Database Service
AWS services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with AWS services in China.

Enabling and Disabling IAM Database Authentication

By default, IAM database authentication is disabled on DB instances. You can enable IAM database authentication (or disable it again) using the AWS Management Console, AWS CLI, or the API.

IAM authentication for PostgreSQL DB instances requires that the SSL value be 1. You can't enable IAM authentication for a PostgreSQL DB instance if the SSL value is 0. You can't change the SSL value to 0 if IAM authentication is enabled for a PostgreSQL DB instance.

To create a new DB instance with IAM authentication by using the console, see Creating an Amazon RDS DB Instance.

Each creation workflow has a Configure Advanced Settings page, where you can enable IAM DB authentication. In that page's Database Options section, choose Yes for Enable IAM DB Authentication.

To enable or disable IAM authentication for an existing DB instance

  1. Open the Amazon RDS console at https://console.amazonaws.cn/rds/.

  2. In the navigation pane, choose Databases.

  3. Choose the DB instance that you want to modify.

    Note

    Make sure that all affected DB instances are compatible with IAM authentication. Check the compatibility requirements in Availability for IAM Database Authentication. For an Aurora DB cluster, you can only enable IAM authentication if all DB instances in the cluster are compatible with IAM.

  4. Choose Modify.

  5. In the Database options section, for IAM DB authentication choose Enable IAM DB authentication or Disable, and then choose Continue.

  6. To apply the changes immediately, choose Apply immediately.

  7. Choose Modify DB instance .

To restore a DB instance

  1. Open the Amazon RDS console at https://console.amazonaws.cn/rds/.

  2. In the navigation pane, choose Snapshots.

  3. Choose the snapshot that you want to restore, and then choose Restore Snapshot for Actions.

  4. In the Settings section, enter an identifier for the DB instance for DB Instance Identifier.

  5. In the Database options section, for IAM DB authentication, choose Enable IAM DB authentication or Disable.

  6. Choose Restore DB Instance.

To create a new DB instance with IAM authentication by using the AWS CLI, use the create-db-instance command. Specify the --enable-iam-database-authentication option, as shown in the following example.

aws rds create-db-instance \ --db-instance-identifier mydbinstance \ --db-instance-class db.m3.medium \ --engine MySQL \ --allocated-storage 20 \ --master-username masterawsuser \ --master-user-password masteruserpassword \ --enable-iam-database-authentication

To update an existing DB instance to have or not have IAM authentication, use the AWS CLI command modify-db-instance. Specify either the --enable-iam-database-authentication or --no-enable-iam-database-authentication option, as appropriate.

Note

Make sure that all affected DB instances are compatible with IAM authentication. Check the compatibility requirements in Availability for IAM Database Authentication. For an Aurora DB cluster, you can only enable IAM authentication if all DB instances in the cluster are compatible with IAM.

By default, Amazon RDS performs the modification during the next maintenance window. If you want to override this and enable IAM DB authentication as soon as possible, use the --apply-immediately parameter.

The following example shows how to immediately enable IAM authentication for an existing DB instance.

aws rds modify-db-instance \ --db-instance-identifier mydbinstance \ --apply-immediately \ --enable-iam-database-authentication

If you are restoring a DB instance, use one of the following AWS CLI commands:

The IAM database authentication setting defaults to that of the source snapshot. To change this setting, set the --enable-iam-database-authentication or --no-enable-iam-database-authentication option, as appropriate.

To create a new DB instance with IAM authentication by using the API, use the API operation CreateDBInstance. Set the EnableIAMDatabaseAuthentication parameter to true.

To update an existing DB instance to have IAM authentication, use the API operation ModifyDBInstance. Set the EnableIAMDatabaseAuthentication parameter to true to enable IAM authentication, or false to disable it.

Note

Make sure that all affected DB instances are compatible with IAM authentication. Check the compatibility requirements in Availability for IAM Database Authentication. For an Aurora DB cluster, you can only enable IAM authentication if all DB instances in the cluster are compatible with IAM.

If you are restoring a DB instance, use one of the following API operations:

The IAM database authentication setting defaults to that of the source snapshot. To change this setting, set the EnableIAMDatabaseAuthentication parameter to true to enable IAM authentication, or false to disable it.