background

It seems that IAM can now be used for DB connection between RDS for MySQL and Aurora. Manage access to your RDS for MySQL and Amazon Aurora databases using AWS IAM IAM Database Authentication for MySQL and Amazon Aurora Since the sample was Java, I tried it from Python.

environment

Amazon Linux 2017.03
Aurora 1.12
Python 2.7.12
boto3-1.4.4

Preparation

Aurora From the RDS cluster, open "Modify Cluster" and set "Enable DB Authentication for IAM" to "Yes". For Aurora db.t2.small does not support IAM database authentication, so try with db.t2.medium or higher. RDS_·_AWS_Console.png

Creating a DB user

Create a DB user for IAM access and grant the required permissions.

mysql> CREATE USER iam_auth_user@'testdb-cluster.cluster-abcdefghijkl.ap-northeast-1.rds.amazonaws.com' IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';
mysql> GRANT SELECT ON `testdb`.* TO iam_auth_user@'%';

Download public key

Since IAM database authentication requires SSL connection, download the public key and place it in an appropriate path on ec2. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Overview.html#Aurora.Overview.Security.SSL

IAM Grant the authority to IAM Role by referring to the document. The resource ID is specified for the cluster.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds-db:connect"
      ],
      "Resource": [
        "arn:aws:rds-db:ap-northeast-1:12345678:dbuser:cluster-12ABC34DEFG5HIJ6KLMNOP78QR/iam_auth_user"
      ]
    }
  ]
}

Connect

`iam_db_auth.py`


#  -*- coding: utf-8 -*-
from __future__ import print_function
import boto3
import mysql.connector
from mysql.connector.constants import ClientFlag

rds = boto3.client('rds', region_name='ap-northeast-1')

user = 'iam_auth_user'
host = 'testdb-cluster.cluster-abcdefghijkl.ap-northeast-1.rds.amazonaws.com'
db_auth_token = rds.generate_db_auth_token(host, 3306, user, 'ap-northeast-1')

config = {
    'user': user,
    'password': db_auth_token,
    'host': host,
    'db': 'testdb',
    'client_flags': [ClientFlag.SSL],
    'ssl_ca': 'rds-combined-ca-bundle.pem'
}

cnx = mysql.connector.connect(**config)
cur = cnx.cursor(buffered=True)

cur.execute('SELECT AURORA_VERSION();')
print(cur.fetchone())

cur.close()
cnx.close()

$ python iam_db_auth.py 
[(u'1.12',)]

that's all.

Try IAM Database Authentication from Python