FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Using AWS IAM Roles for FusionAuth Database Connections: Challenges and Best Practices

    Scheduled Pinned Locked Moved Solved
    Q&A
    data
    1
    2
    2
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      We want to remove hard-coded credentials and enable FusionAuth to connect to our PostgreSQL database using AWS IAM roles. Our setup includes FusionAuth running in an EKS deployment and the database hosted in RDS. We’d like to generate tokens (used as the password) automatically, as described in AWS RDS IAM Authentication.

      The challenge is that these tokens are only valid for 15 minutes. If FusionAuth loses its connection to the database and attempts to reauthenticate after the token expires, it would fail. While generating tokens through an init-container or similar approach is possible, it doesn't resolve the issue of token expiration for reconnections.

      Does FusionAuth have a way to handle this, or are there any best practices you recommend to implement such a setup?

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        Unfortunately, FusionAuth does not currently support using AWS IAM authentication for database connections or automatic rotation of database credentials. There is an open issue tracking this feature request:
        GitHub Issue #973.

        For now, this functionality would need to be handled outside of FusionAuth. For example, an external process or tool could be used to manage the generation and rotation of AWS IAM tokens. This might involve periodically restarting FusionAuth on a rolling 10-minute basis to ensure it picks up the updated credentials, or implementing a custom solution that works in conjunction with FusionAuth to manage database authentication. However, such approaches would not be officially supported by FusionAuth.

        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved
        • First post
          Last post