Enabling AWS IAM PostgreSQL authentication
Published 23 May 2024
If you are monitoring PostgreSQL instances on Amazon RDS or Aurora clusters, then you can set up Redgate Monitor to authenticate via AWS Identity and Access Management (IAM).
This can provide enhanced security when using IAM roles, as there is no need to store long-lived credentials such a password or secret key to connect to an instance.
Setting up your RDS instance or Aurora cluster for IAM authentication
In order to enable IAM authentication for PostgreSQL instances in Redgate Monitor there are a few pre-requisite steps to go through within AWS.
You can find detailed information for these steps in the official AWS documentation for both Aurora clusters, and RDS instances.
- Make sure that your Aurora cluster or RDS instance has IAM authentication enabled, as it is disabled by default.
You can enable it by navigating to your instance or cluster's overview page in the AWS portal and selecting Modify and then selecting Password and IAM database authentication for RDS instances, or checking the IAM Database authentication checkbox on Aurora cluster - You must grant the
rds_iam
role to the Redgate Monitor database user that you have previously configured for monitoring the PostgreSQL instance. To grant IAM permissions you can run the following SQL on either an Aurora cluster or RDS instance as the master user, replacing redgatemonitor with the relevant user.GRANT rds_iam TO redgatemonitor;
Granting the IAM authentication role to a database user will limit that user from logging in via methods other than IAM. If you still wish to login normally with the existing user you should create a new user.
Please see the AWS documentation for other limitations of IAM database users.
- Create an IAM policy that will grant permission to connect to an RDS instance or Aurora cluster via IAM.
- When specifying permissions for the new policy, select RDS IAM Authentication for the service. This applies to both Aurora clusters and RDS instances.
- After selecting the service, you should check the connect checkbox under Permissions management.
- In the Resources section you should click Add ARNs in order to restrict the access of this permission to the specific RDS instance or Aurora cluster that you wish to monitor.
- You should then fill in the details of the instance or cluster that you wish to monitor, making sure to use the user name that you granted the IAM permissions to in step 2. The dbi resource can be found in the overview page for your resource under the Configuration tab with the heading Resource ID.
- When specifying permissions for the new policy, select RDS IAM Authentication for the service. This applies to both Aurora clusters and RDS instances.
- At this point, the guide to set up IAM authentication outlined in Enabling advanced monitoring for RDS instances provides a step-by-step guide to how you can set up an IAM role or user that Redgate Monitor's Base Monitor can use.
You should follow this guide, but instead of adding the AmazonRdsReadOnlyAccess and CloudWatchReadOnlyAccess permission policies in places where that is required, you should add the policy you have created above.- If you wish to use the same IAM authentication for advanced monitoring as you have for your instance you should include the above permission policies alongside the RDS IAM Authentication policy, you can then select "Use instance credentials" when enabling advanced monitoring.
- If you wish to use the same IAM authentication for advanced monitoring as you have for your instance you should include the above permission policies alongside the RDS IAM Authentication policy, you can then select "Use instance credentials" when enabling advanced monitoring.
Using your IAM authentication credentials in Redgate Monitor
After following the steps outlined above to enable IAM authentication on the AWS side, you can use those credentials to connect to the relevant PostgreSQL or Aurora instance by selecting IAM Role or IAM User in the Instance authentication method dropdown and filling in the relevant details.
- For IAM roles that are attached to your EC2 instance running the Base Monitor service, you should leave the Role identifier empty as it will default to the instance profile.
- For IAM roles that exist on a separate AWS account to be assumed by the Base Monitor service, you should use the ARN of the role that has permission to connect to the instance or cluster as the Role identifier.
- For IAM users you can generate the Access key and Secret key as described in the Creating an AWS IAM user section of the Enabling advanced monitoring for RDS instances guide.