AWS RDS IAM Authentication

Updated
  • Updated on Oct 27, 2025
  • Published on Oct 27, 2025
  • 2 minute(s) read
Prev Next

The AWS RDS IAM Auth Store enables short-lived, signed authentication tokens to connect securely to Amazon RDS instances. By eliminating static credentials, it improves security and simplifies access management. This store is used when your application connects to RDS databases using IAM authentication instead of passwords.

Prerequisites

To enable the integration with AWS RDS IAM Auth, you are required to set access permissions allowing PlainID Secrets Management Service to connect with AWS, authenticate and fetch connection tokens.
The best practice is to set up an AWS Role with the necessary permissions policy and attach it to the Kubernetes cluster running the PlainID Secrets Management Service.

Set AWS Role - The role assigned to the PAA's Secrets Management Service must grant permission to use the RDS Authentication. The following resources and actions must be allowed in the AWS Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["rds-db:connect"],
      "Resource": ["arn:aws:rds-db:<region>:<account>:dbuser:<cluster-resource-id>/<database-user-name>"]
    }
  ]
}

Define RDS IAM Grants - Follow these steps to prepare your AWS store integration with the PlainID Secret Management Service:

  1. The RDS IAM must be enabled for the relevant RDS cluster.
  2. Create a dedicated user in the RDS database:
CREATE USER <username> WITH LOGIN;
GRANT rds_iam TO <username>;

-- Note that from this point if the user existed and had its own password, it will no longer function.
  1. Connect to your Database instance using IAM Authentication. Refer to the AWS documentation on this topic.

AWS RDS IAM Auth Secret Store-specific Parameters

The AWS RDS IAM store can be configured in the PlainID Secret Management Service by using the store type AWSRDSIAMAuth.

In addition, you are required to authenticate to AWS using these parameters:

Parameter Description
type Set the type of the secret store to AWS Secrets Manager: AWSRDSIAMAuth.
details.auth Set the authentication for AWS RDS IAM using the parameters below (see more details below).

The auth configuration keys are optional. If you are using an AWS Role attached to the K8s pod running the Secrets Management Service this will not be needed.
details.auth.region Set the relevant AWS region. You can use an Environment Variable: ${AWS_AUTH_REGION}.
details.auth.accessKeyId Set the access key ID. You can use an Environment Variable: ${AWS_AUTH_ACCESS_KEY_ID}.
details.auth.secretAccessKey Set the access key Secret. You can use an Environment Variable: ${AWS_AUTH_SECRET_ACCESS_KEY}.
serviceAccount.annotations.eks.amazonaws.com/role-arn Set the AWS role defined for the PlainID Secret Management Service.

This replaces the need for auth configuration.

Example

The following example is based on the general store and store-specific parameters.

secretsMgmt:
  ...
  plainIDConfig:
   ...
    # Secret Store configuration
	secretStore:
	 - id: AWS_RDS_IAM_AUTH_STORE
      type: AWSRDSIAMAuth
      isDefault: false
      details:
         auth:
            region: ${AWS_AUTH_REGION}
            accessKeyId: ${AWS_AUTH_ACCESS_KEY_ID}
            secretAccessKey: ${AWS_AUTH_SECRET_ACCESS_KEY}

See more details on how to use this store for RDS connection tokens under Defining RDS Secrets Using the AWS RDS IAM Auth Store