Connector Improvement: Allow IAM Authentication
AnsweredI am submitting this request as a follow up to a recent support ticket. The ask is for a method to support IAM Authentication with a dynamically generated token as the password for RDS and Aurora connectors. See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html
My initial query: "Our Dev and DevOps teams will be implementing an auth token policy for our databases in the future. This will mean that instead of having a static password, we will need to log-in with an AWS IAM authentication token which is generated dynamically and valid for 15 minutes.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html
Is there a way to do this with Fivetran (for an Aurora PostgreSQL instance to start with, but eventually other RDS PostgreSQL instances as well)? I can't tell if this could be handled by using a proxy server that always has the correct password, or something else. Have you had other customers who have needed to deal with this security constraint?...."
The response from Fivetran: "Regarding the request here, I actually see a task with our engineering team where they are planning to support IAM Authentication when connection to AWS RDS and Aurora Instances. But this is still in the investigation stage where our devs are exploring if it is possible to use IAM with our current JDBC connections. Once they determine the feasibility they will design and implement a solution, so we don't have any ETA on this at this stage.
Also, Can you please file a feature request in our feature request portal with your use case..."
-
Official comment
Hello Dan,
Thanks for your post here! IAM auth for RDS and Aurora sources is definitely on our radar, and something we are planning to start working on soon. While we don't have a definitive date or timeline for this yet, I can share we have started working on additional auth mechanisms for other sources, such as Azure Active Directory.
IAM is definitely important to us and we continue tracking requests for this to determine when we will implement this functionality.
-
I too would like to see this happen.
Today the way this works is a horribly manual and error prone (or passwords end up floating around automation which isn't good for security). Ideally we could create a cloud credential that we could use for one or more connectors. In this way we could then instruct automation to simply ensure the required IAM objects exist on the database at provision time, and then create the fivetran connector at the same time.
-
We'd like to use IAM auth with Aurora Postgres RDS Serverless V2.
-
Are there any updates in the past 2 years @Kevin Kim?
-
We're also transitioning to AWS IAM auth for our applications, which use RDS on Postgres. I hope this request gets some consideration.
Please sign in to leave a comment.
Comments
5 comments