Sign in Subscribe
Concepts

Connect to Amazon RDS using IAM and OpenSSL from the Command Line

Andrios Robert

2 min read

Rain hammered the glass as the connection timed out again. You know the credentials are right. The database is alive. But AWS wants more than a password now.

This is where OpenSSL, AWS RDS, and IAM authentication meet. You don’t need stored secrets. You need a secure, signed token generated at the moment you connect. This guide shows how to connect to Amazon RDS using IAM and OpenSSL from the command line, without leaking keys or leaving credentials on disk.

How IAM Authentication Works with RDS

AWS RDS supports authentication using IAM users and roles. Instead of a static password, you request a temporary auth token from AWS. This token is signed using your AWS credentials and is valid for 15 minutes. The RDS MySQL or PostgreSQL instance validates the signature on connect.

Why Use OpenSSL in the Process

OpenSSL is the backbone for encrypting and securing the socket between your client and the RDS server. It ensures TLS is active and the certificate chain is valid. With IAM auth, you also need ssl-mode=REQUIRED when connecting with MySQL clients, or ssl=true with psql.

Step-by-Step: Connect Using Openssl AWS RDS IAM

  1. Enable IAM Auth on RDS
    • In the RDS console, modify your instance.
    • Set “IAM DB Authentication” to enabled.
    • Apply changes and wait for the reboot if required.

Connect to the DatabaseMySQL:

mysql \
 --host=<rds-endpoint> \
 --port=3306 \
 --ssl-ca=/path/to/rds-combined-ca-bundle.pem \
 --enable-cleartext-plugin \
 --user=<db-user> \
 --password=$TOKEN

PostgreSQL:

PGPASSWORD="$TOKEN"psql \
 "host=<rds-endpoint> port=5432 sslmode=require dbname=<db-name> user=<db-user>"

Verify SSL with OpenSSLCheck the certificate from the server:

openssl s_client -showcerts -connect <rds-endpoint>:3306

Confirm it chains to the Amazon RDS root CA.

Generate a Temporary Auth TokenUse the AWS CLI:

TOKEN=$(aws rds generate-db-auth-token \
 --hostname <rds-endpoint> \
 --port 3306 \
 --region <region> \
 --username <db-user>)

Grant IAM PermissionsAttach a policy to your IAM user or role:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": "rds-db:connect",
 "Resource": "arn:aws:rds-db:REGION:ACCOUNT-ID:dbuser:DB-RESOURCE-ID/DB-USER"
 }
 ]
}

Troubleshooting Common Issues

  • Expired Token: Tokens last 15 minutes. Regenerate before connect.
  • SSL Errors: Ensure your CA bundle matches the AWS RDS latest CA.
  • Access Denied: Check rds-db:connect permissions and the matching resource ARN.

A correct setup means no static passwords, dynamic credentials, and TLS enforced by OpenSSL. Security increases. Operational burden drops.

If you want to see this pattern in action without wiring it by hand, try it on hoop.dev and have it live in minutes.