Connect to RDS and Aurora without Database Passwords
Connect to RDS, Aurora, and Redshift using IAM database authentication
IAM database authentication replaces static database passwords with short-lived tokens generated from IAM credentials – with Vouch, hardware-backed ones.
TL;DR
- Prerequisites: Getting Started → AWS integration → this page.
- Admin, once: grant
rds-db:connecton the Vouch IAM role and enable IAM auth on the database user. - Each developer:
vouch exec --type rds --rds-hostname <host> --rds-username <user> -- psql, thenpsqljust works — the 15-minute token is injected automatically.
RDS / Aurora PostgreSQL
Developer taskvouch exec generates the token and injects PostgreSQL environment variables (PGPASSWORD, PGHOST, PGPORT, PGUSER, PGSSLMODE=require) automatically:
vouch exec --type rds \
--rds-hostname mydb.cluster-abc123.us-east-1.rds.amazonaws.com \
--rds-username mydbuser \
-- psql -d mydb
Or set them in your current shell:
eval "$(vouch env --type rds \
--rds-hostname mydb.cluster-abc123.us-east-1.rds.amazonaws.com \
--rds-username mydbuser)"
psql -d mydb
To generate just the token (for scripts or non-PostgreSQL clients):
TOKEN=$(vouch credential rds \
--hostname mydb.cluster-abc123.us-east-1.rds.amazonaws.com \
--username mydbuser)
Or use the AWS CLI with Vouch’s credential_process integration:
# Generate an IAM auth token (valid for 15 minutes)
TOKEN=$(aws rds generate-db-auth-token \
--hostname mydb.cluster-abc123.us-east-1.rds.amazonaws.com \
--port 5432 \
--username mydbuser \
--profile vouch)
# Connect with psql
PGPASSWORD="$TOKEN" psql \
-h mydb.cluster-abc123.us-east-1.rds.amazonaws.com \
-p 5432 \
-U mydbuser \
-d mydb \
"sslmode=require"
Database setup: grant the PostgreSQL user the rds_iam role:
GRANT rds_iam TO mydbuser;
RDS / Aurora MySQL
Developer taskMySQL requires --enable-cleartext-plugin because the IAM token is sent as a cleartext password over TLS.
Generate the token and pass it to the MySQL client:
TOKEN=$(vouch credential rds \
--hostname mydb.cluster-abc123.us-east-1.rds.amazonaws.com \
--username mydbuser \
--port 3306)
mysql -h mydb.cluster-abc123.us-east-1.rds.amazonaws.com \
-P 3306 \
-u mydbuser \
--password="$TOKEN" \
--ssl-mode=REQUIRED \
--enable-cleartext-plugin
Note:
vouch execandvouch env --type rdsinject PostgreSQL-style variables; MySQL users should usevouch credential rdsand pass the token manually.
# Generate an IAM auth token
TOKEN=$(aws rds generate-db-auth-token \
--hostname mydb.cluster-abc123.us-east-1.rds.amazonaws.com \
--port 3306 \
--username mydbuser \
--profile vouch)
# Connect with mysql (note: --enable-cleartext-plugin is required)
mysql -h mydb.cluster-abc123.us-east-1.rds.amazonaws.com \
-P 3306 \
-u mydbuser \
--password="$TOKEN" \
--ssl-mode=REQUIRED \
--enable-cleartext-plugin
Database setup: Create the user with the AWSAuthenticationPlugin:
CREATE USER 'mydbuser'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
Amazon Redshift
Developer taskRedshift issues temporary credentials with a configurable lifetime (15–60 minutes); Vouch supports provisioned clusters and Redshift Serverless workgroups.
Using Vouch CLI (provisioned cluster)
vouch exec generates credentials and injects PostgreSQL environment variables (PGPASSWORD, PGUSER, PGSSLMODE=require) automatically:
vouch exec --type redshift \
--redshift-cluster-id my-cluster \
--redshift-db-name mydb \
-- psql -h my-cluster.abc123.us-east-1.redshift.amazonaws.com -p 5439
Or set them in your current shell:
eval "$(vouch env --type redshift \
--redshift-cluster-id my-cluster \
--redshift-db-name mydb)"
psql -h my-cluster.abc123.us-east-1.redshift.amazonaws.com -p 5439
To generate just the credentials:
vouch credential redshift --cluster-id my-cluster --db-name mydb
The --duration flag controls credential lifetime for provisioned clusters (900–3600 seconds, default: 900):
vouch credential redshift --cluster-id my-cluster --duration 3600
Using Vouch CLI (Redshift Serverless)
vouch exec --type redshift \
--redshift-workgroup my-workgroup \
--redshift-db-name mydb \
-- psql -h my-workgroup.123456789012.us-east-1.redshift-serverless.amazonaws.com -p 5439
Or generate credentials directly:
vouch credential redshift --workgroup my-workgroup --db-name mydb
Using AWS CLI
# Get temporary Redshift credentials
CREDS=$(aws redshift get-cluster-credentials \
--cluster-identifier my-cluster \
--db-user mydbuser \
--db-name mydb \
--duration-seconds 3600 \
--profile vouch)
# Extract and connect
DB_USER=$(echo "$CREDS" | jq -r '.DbUser')
DB_PASS=$(echo "$CREDS" | jq -r '.DbPassword')
PGPASSWORD="$DB_PASS" psql \
-h my-cluster.abc123.us-east-1.redshift.amazonaws.com \
-p 5439 \
-U "$DB_USER" \
-d mydb
Required IAM permissions
Admin taskYour Vouch IAM role needs permission to generate database auth tokens and credentials.
RDS / Aurora:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "arn:aws:rds-db:us-east-1:123456789012:dbuser:cluster-ABC123/mydbuser"
}
]
}
Redshift (provisioned clusters):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "redshift:GetClusterCredentialsWithIAM",
"Resource": "arn:aws:redshift:us-east-1:123456789012:dbname:my-cluster/*"
}
]
}
Redshift Serverless:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "redshift-serverless:GetCredentials",
"Resource": "arn:aws:redshift-serverless:us-east-1:123456789012:workgroup/*"
}
]
}
How it works
vouch login– The developer authenticates with their YubiKey.vouch credential rdsorvouch credential redshift– Vouch generates a short-lived auth token or temporary credentials.- Database client – The token is passed as the password to
psql,mysql, or another client;vouch exechandles this automatically.
vouch login → vouch credential rds|redshift → database client
vouch login → vouch exec --type rds|redshift -- psql
Troubleshooting
“PAM authentication failed for user”
Ensure IAM database authentication is enabled on the RDS instance and the database user has the rds_iam role (PostgreSQL) or was created with AWSAuthenticationPlugin (MySQL).
Token expired
RDS/Aurora auth tokens are valid for 15 minutes. Generate a fresh token before connecting. The token is only used to establish the connection – active sessions are not affected by expiry.
SSL required error
IAM database authentication requires SSL/TLS. Use sslmode=require for PostgreSQL or --ssl-mode=REQUIRED for MySQL.