RDS IAM Authentication

[jamielennox]

Having the lambda be responsible for the admin credentials and performing operations based on the role would seem to be the perfect candidate for using IAM authentication to connect to the database.

This would get rid of even storing the admin password.

Thanks,

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html

[mvanholsteijn]

So you mean that the cfn-postgresql-user-provider connects using IAM credentials, or the cfn-postgresql-user-provider creates users with IAM authentication?

[jamielennox]

The provider connects to the database using IAM roles to provision a user.

I'm thinking of a scenario where I deploy the database and lambda together, in which case the cloud formation could simply provision all the connecting roles and then all further postgres users get created via this lambda.

[mvanholsteijn]

Ooh that would work! I will look into it.