Sign in Subscribe
Concepts

Connecting kubectl to AWS RDS with IAM Authentication

Andrios Robert

2 min read

The terminal waits. One command will decide if your Kubernetes cluster talks to your AWS RDS instance with IAM authentication—or times out.

Connecting kubectl to AWS RDS using IAM is the cleanest way to secure database access without static passwords. It binds access to AWS Identity and Access Management roles, short-lived tokens, and controlled network policies. Done right, it gives developers and operators fast, auditable connections from Kubernetes pods to RDS. Done wrong, it leaves secrets exposed.

Step 1: Prepare AWS RDS for IAM auth
Enable IAM database authentication on your RDS instance. This works with MySQL and PostgreSQL engines. In the AWS console or CLI, modify the DB instance:

aws rds modify-db-instance \
 --db-instance-identifier mydb \
 --enable-iam-database-authentication \
 --apply-immediately

Make sure the security group allows inbound from your Kubernetes worker nodes or VPC endpoint.

Step 2: Configure IAM roles
Create or update an IAM role with rds-db:connect permission scoped to your RDS resource ARN. This role will be assumed by your pod’s service account via eks.amazonaws.com/role-arn.

Example policy:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": "rds-db:connect",
 "Resource": "arn:aws:rds-db:us-east-1:123456789012:dbuser:mydb/mydbuser"
 }
 ]
}

Step 3: Inject IAM tokens into pods with kubectl
AWS generates authentication tokens via aws rds generate-db-auth-token. These expire in 15 minutes. In practice, you’ll run:

TOKEN=$(aws rds generate-db-auth-token \
 --hostname mydb.cluster-abcdefgh.us-east-1.rds.amazonaws.com \
 --port 5432 \
 --region us-east-1 \
 --username mydbuser)

Store this token in an environment variable or Kubernetes Secret before initializing the database client in your pod.

You can use kubectl exec to test the connection directly from a container:

kubectl exec -it mypod -- \
 psql "host=mydb.cluster-abcdefgh.us-east-1.rds.amazonaws.com \
  port=5432 \
  user=mydbuser \
  password=$TOKEN \
  sslmode=require"

Replace psql with mysql if you run MySQL.

Step 4: Automate token lifecycle
Tokens must refresh automatically. Use an init-container or sidecar that calls the AWS CLI on schedule and updates the credential store. In EKS, grant pods temporary AWS creds through IRSA (IAM Roles for Service Accounts). This keeps kubectl integration tight and secure.

Best practices and gotchas

  • Make sure time sync is correct across nodes; stale tokens fail.
  • Enforce TLS (sslmode=require) to prevent MITM.
  • Limit IAM policy scope to exact DB user and instance.
  • Rotate DB users in parallel with IAM tokens where possible.

With kubectl + AWS RDS IAM connect configured, database auth becomes short-lived, tightly bound to AWS security, and directly manageable from your Kubernetes workflows.

Try this whole workflow live without writing custom glue code. Go to hoop.dev and connect to your RDS with IAM in minutes.