Coder logo

AWS RDS with IAM credentials

In addition to using user/password for database authentication, Coder supports connecting to Amazon RDS databases using IAM credentials.

Requirements

Setup

  1. Create an IAM role to use for database authentication.

  2. Create an IAM policy for the role created in Step 1.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["rds-db:connect"],
      "Resource": [
        "arn:aws:rds-db:us-east-2:1234567890:dbuser:db-ABCDEFGHIJKL01234/db_user"
      ]
    }
  ]
}
  1. Add a Trust Relationship to the IAM role.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:<cluster>:<namespace>"
        }
      }
    }
  ]
}
  1. Create a database user with the same name specified in the policy above, and grant them the rds_iam role.
CREATE USER dbuser WITH LOGIN;
GRANT rds_iam TO dbuser;
GRANT CREATE ON DATABASE coder TO dbuser;
  1. Set the following values in your Helm chart and re-deploy Coder.
coderd:
  builtinProviderServiceAccount:
    annotations:
      # this role is assumed by the coderd pods, it must have correct IAM policy to connect to RDS
      "eks.amazonaws.com/role-arn": "arn:aws:iam::1234567890:role/example"
postgres:
  host: "example.us-east-1.rds.amazonaws.com"
  port: "5432"
  user: "dbuser"
  database: "coder"
  # notice the password field is not used
  connector: "awsiamrds"
  default:
    enable: false

Documentation references: