Follow dba-ninja.com

Subscribe to RSS feed  Follow @jackvamvas - Twitter

*Use the Comments section for questions

dba-ninja.com Links

Dba_db2_button

Sqlserver_dba_button

Postgresql IAM authentication

14 July,2022 by Rambler

A question that comes up often when planning moving from an on-premises DBMS  utilising Active Directory as an identity access management system to a Cloud Native setup -  is what are the alternative methods available when applying to AWS? One method available is AWS IAM 

Changing the  identity management systems governing access controls to a DBMS is critical . Business processes , logic , membership management are all tied into to accessing data. There are many organizations who don't want to extend AD into the Cloud, and there are other considerations such as standardizing access , and the list goes on ....

This a summary of AWS IAM considerations. Some of it is based on AWS consultants and I've placed links to more in-depth articles , and  other information is my own observations\questions

Pattern

--The general advice from AWS is that IAM should generally used for applications creating fewer  than 200 connections per second and you don't want to manage usernames\passwords

Benefits

-- Don't need to maintain passwords

Review AWS documentation for a more robust list of benefits 

Limitation

--Application must generate an authentication token . How does an application go about generating an authentication token? Transitioning to a token generating system will require application refactoring. In comparison to a Kerberos based system where there is a more built-in & established token management system.

-- Works with MariaDB,MySQL ,PostgreSQL - does it work with other DBMS ? How agnostic is IAM - one of the major disadvantages is you're coupling  access to DBMS resources with the authentication methodology , rather than integrating at the DBMS level. 

--There is a potential added complexity with utilising IAM based authentication around cross-account access in comparison to authentication at the DBMS level.

If Batch or ETL   type workloads  are attempting to access DBMS Resources across multiple accounts , then extra provision is required on the IAM user setup .  Typically an ETL or batch job may touch multiple DBMS system and other resources such as S3 . These multiple resources may span across multiple accounts.   I see this happening either through an EC2 or even an EKS resource , for example accessing multiple RDS resources across multiple accounts.

This situation is achievable through IAM - but there is  an added level of role management and associating with the IAM user.

 

Summarised Steps

=> Enable Password and IAM database authentication

=> Create an IAM user\role , create policy and associate the user with the policy.

=>Create a db user 

=>Generate token and use to connect to PostgreSQL with IAM role

For a more detailed description of these steps check Using IAM authentication to connect with pgAdmin Amazon Aurora PostgreSQL or Amazon RDS for PostgreSQL

 

 

 

 

 


Author: Rambler (http://www.dba-ninja.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on Postgresql IAM authentication


dba-ninja.com