Posts

Showing posts from January, 2019

Connect Lambda to RDS using IAM credentials

It is safer to connect to RDS using IAM credentials rather than database user credentials. You can assign a role to lambda with permissions to access database. In order to access database, you will need to generate token and this token will be valid for a very limited time. Thus, no need to encrypt and rotate passwords. And no need to worry about saving passwords in Vault and then manage vault access etc. Following steps are required to connect to RDS using IAM role: Modify RDS Instance and Enable IAM Authentication for RDS Instance Create database user, without password and assign relevant privileges Create IAM Policy with permissions to connect to database Create IAM role. This role will be assigned to lambda/ec2-instance Download SSL Certificates for RDS provided by AWS. These certificates are region specific Use Java-SDK to generate token and use this token to connect to RDS   Enable IAM Authentication Log into AWS Management console to modify RDS instance settings. Sel