IAM Database Authentication for MySQL and PostgreSQL - Amazon Relational Database Service
AWS services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with AWS services in China.

IAM Database Authentication for MySQL and PostgreSQL

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MySQL and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.

An authentication token is a unique string of characters that Amazon RDS generates on request. Authentication tokens are generated using AWS Signature Version 4. Each token has a lifetime of 15 minutes. You don't need to store user credentials in the database, because authentication is managed externally using IAM. You can also still use standard database authentication.

IAM database authentication provides the following benefits:

  • Network traffic to and from the database is encrypted using Secure Sockets Layer (SSL).

  • You can use IAM to centrally manage access to your database resources, instead of managing access individually on each DB instance.

  • For applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security.

Availability for IAM Database Authentication

IAM database authentication is available for the following database engines and DB instance classes:

  • MySQL 5.6, minor version 5.6.34 or higher.

  • MySQL 5.7, minor version 5.7.16 or higher.

  • MySQL 8.0, minor version 8.0.16 or higher.

  • PostgreSQL versions 10.6 or higher, 9.6.11 or higher, and 9.5.15 or higher.


IAM database authentication is not supported for MySQL 5.5.

MySQL Limitations for IAM Database Authentication

When using IAM database authentication with MySQL, you are limited to a maximum of 200 new connections per second. If you are using a db.t2.micro DB instance class, the limit is 10 connections per second.

The database engines that work with Amazon RDS don't impose any limits on authentication attempts per second. However, when you use IAM database authentication, your application must generate an authentication token. Your application then uses that token to connect to the DB instance. If you exceed the limit of maximum new connections per second, then the extra overhead of IAM database authentication can cause connection throttling. The extra overhead can cause even existing connections to drop. For information about the maximum total connections for MySQL, see Maximum MySQL and MariaDB Connections.

We recommend the following when using the MySQL engine:

  • Use IAM database authentication as a mechanism for temporary, personal access to databases.

  • Use IAM database authentication only for workloads that can be easily retried.

  • Don't use IAM database authentication if your application requires more than 200 new connections per second.

PostgreSQL Limitations for IAM Database Authentication

When using IAM database authentication with PostgreSQL, note the following limitation:

  • The maximum number of connections per second for your database instance may be limited depending on the instance type and your workload.