Defining RDS Secrets Using the AWS RDS IAM Authentication Store

Updated
  • Updated on Oct 27, 2025
  • Published on Oct 27, 2025
  • 1 minute(s) read
Prev Next

PlainID supports using secrets from the AWS RDS IAM Auth Store to securely manage credentials for RDS database connections. By referencing secrets using a standardized format, you can ensure that sensitive values like database usernames and passwords are never stored in plain text. This approach also allows for automated secret retrieval and regular refresh intervals, supporting AWS’s RDS IAM authentication flow.

The following sections provide examples for referencing secrets in PIP Data Source configurations and defining secure connections for PDP Audit databases.

After setting up the new store you can define secrets, referencing the store based on the following structure {{store=<storeID>,key=<secretName>,refreshInterval=3s}}

  • storeID
    • The ID defined in the secret management service configuration.
  • secretName
    • The secret key name you want to consume from the store.
    • For the AWSRDSIAM store the key will be in the form user@host:port/region based on the AWS user you defined at the prerequisite.
  • refreshInterval
    • The interval used to fetch updates from the store.
    • Can be defined with s/m/h/d (sec/min/hours/days).
    • Note the default refresh interval for this store type is 10m which should be sufficient to accommodate AWS RDS's 15-min expiration policy.

Using Secrets for PIP Data Sources

If integrating with PlainID’s Secret Manager, reference credentials using a {{secret name}}.
For Secret Manager integration, use the syntax specific to your secret store. See Secret Management Configuration for details.
Example: {{general store example}}

For AWS RDS DB with AWS IAM Auth:
{{store=AWS_RDS_IAM_AUTH_STORE,key=test_user@shared-partner-mgmt-dev.cluster-g6wgs3hs1zff.eu-east-2.rds.amazonaws.com:5432/eu-east-2}}.

Using Secret for PDP Audit DB

If an AWS RDS database needs to be defined as the PDP Authorization Audit database, the database connection is configured in the PDP settings using a few configuration keys. The configuration of the Secret itself will use similar secret syntax, but as its defined within a yaml configuration the double curly secret syntax needs to be wrapped with a printf command to be valid.

Here is a set of Runtime config keys defining a connection to an AWS RDS DB:

Environment Variable Name Value
RTCONF_AUDIT__IS_DATA_BASE_ENABLE true
RTCONF_AUDIT__CONNECTION__URL "jdbc:postgresql://aaa-bbb-ccc.cluster-c6wssjqgvz0f.us-east-2.rds.amazonaws.com:5432/sample_db"
RTCONF_AUDIT__CONNECTION__USER db_user
RTCONF_AUDIT__CONNECTION__PASSWORD |-
  {{store=AWS_RDS_IAM_AUTH_STORE,key=test_user@shared-partner-mgmt-dev.cluster-g6wgs3hs1zff.eu-east-2.rds.amazonaws.com:5432/eu-east-2}}
RTCONF_AUDIT__IS_USE_BATCH_MODE false

Refer to our Runtime Service Configuration, Authorization Audit Configuration, and Policy Information Point articles for more specific information on how to use Environment Variables for generating tokens and passwords.