|
| 1 | +# AWS Aurora DSQL IAM Authentication Plugin |
| 2 | + |
| 3 | +This plugin enables connecting to AWS Aurora DSQL databases through AWS Identity and Access Management (IAM). |
| 4 | + |
| 5 | +## What is IAM? |
| 6 | +AWS Identity and Access Management (IAM) grants users access control across all Amazon Web Services. IAM supports granular permissions, giving you the ability to grant different permissions to different users. For more information on IAM and its use cases, please refer to the [IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html). |
| 7 | + |
| 8 | +## Prerequisites |
| 9 | +> [!WARNING]\ |
| 10 | +> To preserve compatibility with customers using the community driver, IAM Authentication requires the AWS SDK for Python; [Boto3](https://pypi.org/project/boto3/). Boto3 is a runtime dependency and must be resolved. It can be installed via pip like so: `pip install boto3`. |
| 11 | +
|
| 12 | +The IAM Authentication plugin requires authentication via AWS Credentials. These credentials can be defined in `~/.aws/credentials` or set as environment variables. All users must set `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. Users who are using temporary security credentials will also need to additionally set `AWS_SESSION_TOKEN`. |
| 13 | + |
| 14 | +To enable the AWS Aurora DSQL IAM Authentication Plugin, add the plugin code `iam_dsql` to the [`plugins`](../UsingThePythonDriver.md#connection-plugin-manager-parameters) parameter. |
| 15 | + |
| 16 | +> [!WARNING]\ |
| 17 | +> The `iam` plugin must NOT be specified when using the `iam_dsql` plugin. |
| 18 | +
|
| 19 | +## AWS IAM Database Authentication |
| 20 | +The AWS Python Driver supports Amazon AWS Identity and Access Management (IAM) authentication. When using AWS IAM database authentication, the host URL must be a valid AWS Aurora DSQL endpoint, and not a custom domain or an IP address. |
| 21 | +<br>i.e. `cluster-identifier.dsql.us-east-1.on.aws` |
| 22 | + |
| 23 | + |
| 24 | +## How do I use IAM with the AWS Python Driver? |
| 25 | +1. Configure IAM roles for the cluster according to [Using database roles and IAM authentication](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/using-database-and-iam-roles.html). |
| 26 | +2. Add the plugin code `iam_dsql` to the [`plugins`](../UsingThePythonDriver.md#connection-plugin-manager-parameters) parameter value. |
| 27 | + |
| 28 | +| Parameter | Value | Required | Description | Example Value | |
| 29 | +|--------------------|:-------:|:--------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------| |
| 30 | +| `iam_host` | String | No | This property will override the default hostname that is used to generate the IAM token. The default hostname is derived from the connection string. This parameter is required when users are connecting with custom endpoints. | `cluster-identifier.dsql.us-east-1.on.aws` | |
| 31 | +| `iam_region` | String | No | This property will override the default region that is used to generate the IAM token. The default region is parsed from the connection string. | `us-east-2` | |
| 32 | +| `iam_expiration` | Integer | No | This property determines how long an IAM token is kept in the driver cache before a new one is generated. The default expiration time is set to 14 minutes and 30 seconds. Note that IAM database authentication tokens have a lifetime of 15 minutes. | `600` | |
| 33 | + |
| 34 | +## Sample code |
| 35 | + |
| 36 | +[DSQLIamAuthentication.py](../../examples/DSQLIamAuthentication.py) |
| 37 | + |
0 commit comments