AWS RDS with IAM credentials
In addition to using user/password for database authentication, Coder supports connecting to Amazon RDS databases using IAM credentials.
Requirements
- An EKS cluster with an IAM OIDC provider enabled
- An RDS instance with IAM authentication enabled
Setup
-
Create an IAM role to use for database authentication.
-
Create an IAM policy for the role created in Step 1.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["rds-db:connect"],
"Resource": [
"arn:aws:rds-db:us-east-2:1234567890:dbuser:db-ABCDEFGHIJKL01234/db_user"
]
}
]
}
- Add a Trust Relationship to the IAM role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:<cluster>:<namespace>"
}
}
}
]
}
- Create a database user with the same name specified in the policy above, and
grant them the
rds_iam
role.
CREATE USER dbuser WITH LOGIN;
GRANT rds_iam TO dbuser;
GRANT CREATE ON DATABASE coder TO dbuser;
- Set the following values in your Helm chart and re-deploy Coder.
coderd:
builtinProviderServiceAccount:
annotations:
# this role is assumed by the coderd pods, it must have correct IAM policy to connect to RDS
"eks.amazonaws.com/role-arn": "arn:aws:iam::1234567890:role/example"
postgres:
host: "example.us-east-1.rds.amazonaws.com"
port: "5432"
user: "dbuser"
database: "coder"
# notice the password field is not used
connector: "awsiamrds"
default:
enable: false
Documentation references: