Showing posts from January, 2019

Connect Lambda to RDS using IAM credentials

It is safer to connect to RDS using IAM credentials rather than database user credentials. You can assign a role to lambda with permissions to access database. In order to access database, you will need to generate token and this token will be valid for a very limited time. Thus, no need to encrypt and rotate passwords. And no need to worry about saving passwords in Vault and then manage vault access etc.
Following steps are required to connect to RDS using IAM role:
Modify RDS Instance and Enable IAM Authentication for RDS InstanceCreate database user, without password and assign relevant privilegesCreate IAM Policy with permissions to connect to databaseCreate IAM role. This role will be assigned to lambda/ec2-instanceDownload SSL Certificates for RDS provided by AWS. These certificates are region specificUse Java-SDK to generate token and use this token to connect to RDS   Enable IAM Authentication Log into AWS Management console to modify RDS instance settings. Select RDS instance,…