Summary

Support Aurora connectivity over AWS PrivateLink using IAM database authentication (short‑lived tokens), without requiring static database usernames and passwords.

Description

We are setting up Amazon Aurora connectivity via AWS PrivateLink. While the PrivateLink setup is supported, the Aurora connector currently requires a static database username and password.

We moved away from password‑based authentication for Aurora some time ago and now rely exclusively on IAM database authentication with short‑lived tokens, generated via IAM role assumption. This aligns with AWS security best practices and our internal security standards.

Our requirement is to:

Use Aurora IAM database authentication (short‑lived tokens) in combination with AWS PrivateLink, without relying on static database usernames or passwords.

Ideally, the connector would assume an IAM role and generate authentication tokens dynamically, rather than storing long‑lived database credentials.

Why this is important

• Long‑lived database passwords are no longer acceptable within our platform
• IAM authentication provides:
  • Short‑lived credentials
  • Centralized access control via IAM
  • Reduced credential management and rotation risk
• PrivateLink already addresses network‑level security; IAM auth is required to complete the security posture at the authentication layer

Impact

Without this capability:

• We are forced to reintroduce static credentials solely for Fivetran
• This creates an exception to our security baseline
• It increases operational and audit overhead for credential storage and rotation

Requested outcome

• Native support for Aurora IAM database authentication
• Compatibility with AWS PrivateLink
• Authentication via IAM role assumption, not static credentials