Authenticate your Kong Gateway Amazon RDS database with AWS IAM
Starting in Kong Gateway 3.3.x, you can use AWS Identity and Access Management (IAM) authentication to connect to the AWS RDS database that you use for Kong Gateway. This page describes how to use this feature to secure your database configurations and database connections.
When you enable this feature, you don’t need to use a password when you connect to a database instance. Instead, you use a temporary authentication token. Because AWS IAM manages the authentication externally, the database doesn’t store user credentials. If you use AWS RDS for Kong Gateway’s database, you can enable this feature on your running cluster. This ensures that you don’t have to store database user credentials on both the Kong Gateway (
pg_password) and RDS database side.
AWS IAM authentication limitations
AWS IAM authentication also has some limitations. Go through each one before you use this feature in your production environment:
- For a traditional Kong Gateway cluster or single traditional nodes, only use IAM database authentication if Kong Gateway requires less than 200 new IAM database authentications per second. Establishing more connections per second can result in throttling. Authentication only happens on each connection’s initialization part after the connection is successfully established; the following queries and communication don’t authenticate. Check the TPS of the connection establishment on your database to ensure you aren’t encountering this limitation. Traditional clusters are more likely to encounter this limitation because each node needs to establish connections to the database. For more information, see Recommendations for IAM database authentication in the Amazon RDS user guide.
- Enabling AWS IAM authentication requires SSL connection to the database. To do this, you must configure your RDS cluster correctly and provide the correct SSL-related configurations on Kong Gateway’s side. Enabling SSL also results in some performance overhead if you didn’t previously use it. Currently, TLSv1.3 isn’t supported by AWS RDS.
- Since the Postgres RDS does not support mTLS, you can’t enable mTLS between the Kong Gateway and the Postgres RDS database when AWS IAM authentication is enabled.
- You can’t change the value of the environment variables that you use for the AWS credential after booting Kong Gateway.
For additional recommendations and limitations, see IAM database authentication for MariaDB, MySQL, and PostgreSQL in the Amazon RDS user guide.
Before you enable the AWS IAM authentication, you must configure your AWS RDS database and the AWS IAM role that Kong Gateway uses.
Enable the IAM database authentication on your database instance. For more information, see Enabling and disabling IAM database authentication in the Amazon RDS user guide.
Assign an IAM role to your Kong Gateway instance. Kong Gateway can automatically discover and fetch the AWS credentials to use for the IAM role.
- If you use an EC2 environment, use the EC2 IAM role.
- If you use an ECS cluster, use a ECS task IAM role.
If you use an EKS cluster, configure a Kubernetes service account that can annotate your assigned role and configure the pods to use an IAM role defined by
Using an IAM role defined by
serviceaccount requires a request to the AWS STS service, so you also need to make sure that your Kong instance inside the Pod can access the AWS STS service endpoint.
If you’re using STS regional endpoints, make sure you have
AWS_STS_REGIONAL_ENDPOINTS defined in your environment variables.
- If you run Kong Gateway locally, use the environment variables, like access key and secret key combination by using
AWS_SECRET_ACCESS_KEY, or profile and credential file combination by using
Warning: You can’t change the value of the environment variables you used to provide the AWS credential after booting Kong Gateway. Any changes are ignored.
Assign an IAM policy to the Kong Gateway IAM role. For more information, see Creating and using an IAM policy for IAM database access in the Amazon RDS documentation.
Ensure you create the database account in the RDS. For more information, see Using IAM authentication with PostgreSQL in the Amazon RDS documentation.
- The database user assigned to the
rds_iam role can only use the IAM database authentication.
- Make sure to create the database and grant the correct permissions to the database user you just created. See Using a database for more information.
Enabling AWS IAM authentication
You can enable AWS IAM authentication by using an environment variable or using the Kong Gateway configuration file. You can either enable this feature in both read-only and read-write mode, or just enable it in read-only mode.
Note: When the AWS IAM authentication is enabled, Kong Gateway will ignore the related password configs. Enabling the authentication only in read-only mode will not influence the read-write related configs, so
pg_password function normally.
Before you enable AWS IAM authentication, you must do the following in the
- Check that
pg_ro_user matches the username you defined in the IAM policy and created in the Postgres RDS database.
Enable AWS IAM authentication with environment variables
To enable AWS IAM authentication in read-write and read-only mode, set the
KONG_PG_IAM_AUTH environment variable to
To enable AWS IAM authentication in read-only mode, you can set the following:
KONG_PG_IAM_AUTH=off # This line can be omitted because off is the default value
Enable AWS IAM authentication in the configuration file
kong.conf file contains the
Just like the environment variable, you can set them to
on accordingly, if you want to enable the IAM Authentication on both read and write connection, or just read-only connection to the RDS Postgres database.
To enable AWS IAM authentication in read-write mode, set
To enable AWS IAM authentication in read-only mode, set
Note: If you enable AWS IAM authentication in the configuration file, you must specify the configuration file with the feature property on when you run the migrations command. For example,
kong migrations bootstrap -c /path/to/kong.conf.