# Authenticating your Amazon Neptune database with Amazon Identity and Access Management
<a name="iam-auth"></a>

Amazon Identity and Access Management (IAM) is an Amazon Web Services service that helps an administrator securely control access to Amazon resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Neptune resources. IAM is an Amazon Web Services service that you can use with no additional charge.

You can use Amazon Identity and Access Management (IAM) to authenticate to your Neptune DB instance or DB cluster. When IAM database authentication is enabled, each request must be signed using Amazon Signature Version 4.

Amazon Signature Version 4 adds authentication information to Amazon requests. For security, all requests to Neptune DB clusters with IAM authentication enabled must be signed with an access key. This key consists of an access key ID and secret access key. The authentication is managed externally using IAM policies.

Neptune authenticates on connection, and for WebSockets connections it verifies the permissions periodically to ensure that the user still has access.

**Note**  
Revoking, deleting, or rotating of credentials associated with the IAM user is not recommended because it does not terminate any connections that are already open.
There are limits on the number of concurrent WebSocket connections per database instance, and on how long a connection can remain open. For more information, see [WebSockets Limits](limits.md#limits-websockets).

## IAM Use Depends on Your Role
<a name="security-iam-audience"></a>

How you use Amazon Identity and Access Management (IAM) differs, depending on the work you do in Neptune.

**Service user** – If you use the Neptune service to do your job, then your administrator provides you with the credentials and permissions that you need for using the Neptune data plane. As you need more access to do your work, understanding how data access is managed can help you request the right permissions from your administrator.

**Service administrator** – If you're in charge of Neptune resources at your company, you probably have access to Neptune management actions, which correspond to the [Neptune managment API](api.md). It may also be your job to determine which Neptune data-access actions and resources service users need in order to do their jobs. An IAM administrator can then apply IAM policies to change the permissions of your service users.

**IAM administrator** – If you're an IAM administrator, you will need to write IAM policies to manage both management and data access to Neptune. To view example Neptune identity-based policies that you can use, see [Using different kinds of IAM policies for controlling access to Neptune](security-iam-access-manage.md#iam-auth-policy).

## Authenticating with Identities
<a name="security-iam-authentication"></a>

Authentication is how you sign in to Amazon using your identity credentials. You must be authenticated as the Amazon Web Services account root user, an IAM user, or by assuming an IAM role.

For programmatic access, Amazon provides an SDK and CLI to cryptographically sign requests. For more information, see [Amazon Signature Version 4 for API requests](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.

### Amazon Web Services account root user
<a name="security-iam-authentication-rootuser"></a>

 When you create an Amazon Web Services account, you begin with one sign-in identity called the Amazon Web Services account *root user* that has complete access to all Amazon Web Services services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. 

### IAM Users and Groups
<a name="security-iam-authentication-iamuser"></a>

An *[IAM user](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access Amazon using temporary credentials](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.

An [https://docs.amazonaws.cn/IAM/latest/UserGuide/id_groups.html](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.amazonaws.cn/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.

### IAM Roles
<a name="security-iam-authentication-iamrole"></a>

An *[IAM role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an Amazon CLI or Amazon API operation. For more information, see [Methods to assume a role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.

IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.