Using IAM authentication for Amazon RDS endpoint in Amazon DMS - Amazon Database Migration Service
Configuring IAM authentication for Amazon RDS endpoint in Amazon DMSLimitations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using IAM authentication for Amazon RDS endpoint in Amazon DMS

Amazon Identity and Access Management (IAM) database authentication provides enhanced security for your Amazon RDS databases by managing database access through Amazon IAM credentials. Instead of using traditional database passwords, IAM authentication generates short-lived authentication tokens, valid for 15 minutes, using Amazon credentials. This approach significantly improves security by eliminating the need to store database passwords in application code, reducing the risk of credential exposure, and providing centralized access management through IAM. It also simplifies access management by leveraging existing Amazon IAM roles and policies, enabling you to control database access using the same IAM framework you use for other Amazon services.

Amazon DMS now supports IAM authentication for replication instances running DMS version 3.6.1 or later when connecting to MySQL, PostgreSQL, Aurora PostgreSQL, Aurora MySQL, or MariaDB endpoints on Amazon RDS. When creating a new endpoint for these engines, you can select IAM authentication and specify an IAM role instead of providing database credentials. This integration enhances security by eliminating the need to manage and store database passwords for your migration tasks.

Configuring IAM authentication for Amazon RDS endpoint in Amazon DMS

When creating an endpoint you can configure IAM authentication for your Amazon RDS database. To configure IAM authentication, do the following:

Amazon CLI

  1. Ensure the Amazon RDS and the database user has IAM authentication enabled. For more information, see Enabling and disabling IAM database authentication in the Amazon Relational Database Service user guide.

  2. Navigate to the Amazon CLI, create an IAM role, and allow DMS to assume the role:

    Policy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
                ],
            "Resource": [
                "arn:aws:rds-db:<region>:<account-id>:dbuser:<db-identifier>/<username>"
                ]
        }
    ]
}

    Trust policy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "dms.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

  3. Run the following command to import the certificate and download the PEM file. For more information, see Download certificate bundles for Amazon RDS in the Amazon Relational Database Service user guide. 

    aws dms import-certificate --certificate-identifier rdsglobal --certificate-pem file://~/global-bundle.pem

  4. Run the following commands to create an IAM endpoint:

    • For PostgreSQL/Aurora PostgreSQL endpoints (When sslmode is set to required, --certificate-arn flag is not required): 

      aws dms create-endpoint --endpoint-identifier <endpoint-name> --endpoint-type <source/target> --engine-name <postgres/aurora-postgres> --username <db username with iam auth privileges> --server-name <db server name> --port <port number> --ssl-mode <required/verify-ca/verify-full> --postgre-sql-settings "{\"ServiceAccessRoleArn\": \"role arn created from step 2 providing permissions for iam authentication\", \"AuthenticationMethod\": \"iam\", \"DatabaseName\": \"database name\"}" --certificate-arn <if sslmode is verify-ca/verify full use cert arn generated in step 3, otherwise this parameter is not required>

    • For MySQL, MariaDB, or Aurora MySQL endpoints: 

      aws dms create-endpoint --endpoint-identifier <endpoint-name> --endpoint-type <source/target> --engine-name <mysql/mariadb/aurora> --username <db username with iam auth privileges> --server-name <db server name> --port <port number> --ssl-mode <verify-ca/verify-full> --my-sql-settings "{\"ServiceAccessRoleArn\": \"role arn created from step 2 providing permissions for iam authentication\", \"AuthenticationMethod\": \"iam\", \"DatabaseName\": \"database name\"}" --certificate-arn <cert arn from previously imported cert in step 3>

  5. Run a test connection against your desired replication instance to create the instance endpoint association and verify everything is set up correctly: 

    aws dms test-connection --replication-instance-arn <replication instance arn> --endpoint-arn <endpoint arn from previously created endpoint in step 4>
    Note

    When using IAM authentication, the replication instance provided in test-connection must be on Amazon DMS version 3.6.1 or later.

Limitations

Amazon DMS has following limitations when using IAM authentication with Amazon RDS endpoint:

  • Currently Amazon RDS PostgreSQL and Amazon Aurora PostgreSQL instances do not support CDC connections with IAM authentication. For more information, see Limitations for IAM database authentication in the Amazon Relational Database Service User Guide.