Sign in Subscribe
Concepts

Kubernetes Ingress with AWS RDS IAM authentication

Andrios Robert

2 min read

Kubernetes Ingress with AWS RDS IAM authentication is the clean way to connect workloads inside your cluster to a managed database without hardcoding static credentials. Instead of storing passwords in ConfigMaps or Secrets, you use short-lived tokens from AWS IAM. This reduces risk, improves compliance, and scales without the credential sprawl that kills security in large systems.

Ingress Configuration

In Kubernetes, Ingress exposes HTTP(S) services from inside the cluster to the outside world. To connect those services to an AWS RDS instance through IAM, you keep the Ingress focused on routing while the application pod handles database authentication. The Ingress rules and controller (NGINX, Traefik, or AWS Load Balancer Controller) don’t need to know about RDS—they just deliver traffic to the right pods. This separation keeps your networking clean and your auth secure.

IAM Database Authentication for RDS

Enable IAM authentication on your RDS instance:

  1. In AWS Console or CLI, set --enable-iam-database-authentication.
  2. Attach an IAM role with rds-db:connect permission to the Kubernetes service account via IRSA (IAM Roles for Service Accounts).
  3. Use AWS SDK or CLI inside your pod to generate an auth token with rds generate-db-auth-token.

This token replaces the static password in your database connection string. It expires in 15 minutes, which means your app must request a new one before each connection or maintain a short-lived pool.

Kubernetes + IRSA Setup

IRSA allows pods to assume IAM roles without node-wide permissions. Steps:

  • Add OIDC provider for your EKS cluster.
  • Create IAM role with trust policy for your service account.
  • Annotate service account with eks.amazonaws.com/role-arn.
  • Deploy your app with that service account.

Your pods now authenticate directly to AWS without storing permanent credentials.

Security and Performance

IAM auth with Ingress scales well for microservices hitting RDS from inside Kubernetes. It locks down access at the role level. Performance impact is minimal if token generation is done efficiently. Always rotate roles and limit privileges to specific DB users. Pair the setup with Kubernetes NetworkPolicies so only the right pods can reach the database endpoint.

Example Connection String

jdbc:mysql://your-rds-endpoint:3306/dbname?sslMode=VERIFY_IDENTITY&enableIamAuth=true

The app retrieves the IAM token at runtime and inserts it as the password parameter.

Ingress stays focused on routing API traffic, IAM handles DB authentication, and RDS delivers managed persistence with AWS-level security.

This is the bridge between clean Kubernetes networking and tight AWS data access control.

See this live in minutes with hoop.dev. Build the Ingress, connect to RDS with IAM, and watch it run—without giving IAM full reign to your cluster.