Aurora PostgreSQL (IAM)

Overview

This guide explains how to add an Aurora PostgreSQL database as a datasource in StrongDM using AWS IAM for authentication.

When the resource is added, StrongDM proxies client connections through a node (gateway, relay, or proxy cluster). This enables centralized access control, credential management, and audit logging. IAM authentication replaces static passwords with temporary authentication tokens that StrongDM retrieves from AWS.

Use this guide to complete all necessary preparations to add this resource to your StrongDM environment; input the correct properties in the Admin UI, CLI, SDKs, or Terraform provider; and test for a successful connection.

For general information about how to add a database as a resource in StrongDM, see our main guide, Add a Datasource.

Supported Versions and Clients

StrongDM supports Aurora PostgreSQL clusters that have IAM database authentication enabled. Supported engine versions include Aurora PostgreSQL-compatible releases (for example, versions based on PostgreSQL 9.6, 10.x, 11.x, 12.x, 13.x, and 14.x depending on Aurora’s availability in your region).

StrongDM works with any standard PostgreSQL client or library, such as:

• psql CLI

• GUI tools like DBeaver or DataGrip

• Application frameworks using PostgreSQL drivers

Prerequisites

To add your resource in StrongDM, you need to meet several technical and configuration prerequisites. Please ensure that the following requirements are met.

In StrongDM, you must have the following:

• Administrator permission level

• At least one operational StrongDM node (gateway, relay, or proxy cluster) that can reach the Aurora PostgreSQL cluster endpoint and port (5432).

• If using secrets management tools for storing your credentials, a Secret Store configured in StrongDM

On the AWS side, you must have the following:

• Aurora PostgreSQL cluster with IAM database authentication enabled

• Database user created with IAM authentication (for example: CREATE USER db_iam_user WITH LOGIN; ALTER USER db_iam_user WITH rds_iam;)

• IAM role or IAM user with:

  • rds-db:connect permission on the DB resource

  • AWS permissions to generate database tokens (rds:GenerateDbAuthToken)

• Correct VPC, subnet, and security group rules so StrongDM nodes can reach the cluster endpoint

Resource Setup

Some setup steps are required to prepare an Aurora PostgreSQL (IAM) resource to receive connections via StrongDM.

1. The AWS administrator should enable IAM authentication for the target PostgreSQL cluster in the AWS Management Console. This can be done at creation, or be modified at a later time. This is done by locating the Database authentication setting and choosing the option Password and IAM database authentication.

2. A PostgreSQL administrator needs to log in to the database and grant the rds_iam permission either to an existing user or a newly created user for use with StrongDM. For example, GRANT rds_iam TO db_userx where db_userx is the username.

3. Finally, the AWS administrator needs to add an IAM policy to the IAM role that is attached to the gateway or relay to allow access, as in the example shown.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             "arn:aws:rds-db:us-east-2:1234567890:dbuser:cluster-ABCDEFGHIJKL01234/db_userx"
         ]
      }
   ]
}

Resource Management in StrongDM

After all prerequisites and prep work is done, you are ready to add the resource to StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs.

# Add Aurora PostgreSQL (IAM) datasource
sdm admin datasources add aurorapostgresiam aurora-pg-iam-prod
  --hostname="mypg-cluster.cluster-abcdefghijkl.us-east-1.rds.amazonaws.com"
  --port=5432
  --database="production"
  --region="us-east-1"
  --username="iam_db_user"
  --role-arn="arn:aws:iam::123456789012:role/AuroraPGDBRole"
  --role-external-id="optional-external-id"
  --tls-required
  --bind-interface="127.0.0.1"
  --egress-filter="tag:env=prod"
  --port-override="-1"
  --proxy-cluster-id="n-1a2b345c67890123"
  --secret-store-id="se-e1b2"
  --subdomain="aurora-pg-iam-prod"
  --tags="env=production,team=data"

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "5.1.0"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
  # Add API access key and secret key from Admin UI
  api_access_key = "njjSn...5hM"
  api_secret_key = "ziG...="
}

# Create Aurora PostgreSQL (IAM) resource
resource "sdm_aurorapostgresiam" "aurora_pg_prod" {
  name       = "aurora-pg-iam-prod"
  hostname   = "mypg-cluster.cluster-abcdefghijkl.us-east-1.rds.amazonaws.com"
  port       = 5432
  database   = "production"
  region     = "us-east-1"
  username   = "iam_db_user"

  # IAM options
  role_arn         = "arn:aws:iam::123456789012:role/AuroraPGDBRole"
  role_external_id = "optional-external-id"
  # Alternative:
  # access_key_id     = "AKIAEXAMPLE"
  # secret_access_key = "secretKeyExample123"

  # Networking / routing
  tls_required     = true
  bind_interface   = "127.0.0.1"
  egress_filter    = "tag:env=prod"
  port_override    = 12345
  proxy_cluster_id = "n-1a2b345c67890123"

  # Secrets / metadata
  secret_store_id = "se-e1b2"
  subdomain       = "aurora-pg-iam-prod"
  tags = {
    env  = "production"
    team = "data"
  }
}

Configuration Properties

The following configuration properties are required to define an Aurora PostgreSQL (IAM) datasource in StrongDM. These settings control how StrongDM connects to the resource, authenticates the connection, and optionally uses encryption or secret management. Each property must be correctly configured to ensure connectivity and access enforcement through StrongDM.

Secret Store options

By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Settings > Secrets Management. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Resource status

After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.

Test the Connection

After you have added your resource in StrongDM, follow these steps to verify that it’s working correctly.

1. Assign yourself access by ensuring that your user or role has access to the resource. In the StrongDM Admin UI, go to Access > Roles, and verify that the resource is attached to a role you’re in.

2. In the CLI, run sdm status to list the available datasources. Ensure that the resource appears in your list of accessible datasources.

3. Start a session to the resource, as in the following example:

   Copy

   sdm connect aurora-pg-iam-prod

   This sets local environment variables (such as PGHOST, PGPORT, PGUSER, and so forth) for connecting. See the CLI Reference documentation for details on sdm connect.

4. Connect with psql:

   Copy

   psql "$PGDATABASE"

   Run a simple query to confirm:

   Copy

   SELECT version();

5. In the StrongDM Admin UI, check Logs > Queries (and Logs > Connections) to confirm the session and and queries are logged.

When these steps succeed, you’re ready to connect to your resource through StrongDM.

Help

If you encounter issues, please consult the StrongDM Help Center.

Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health:

• Resource name or ID

• CLI error output or logs

• Node name and region

• Timestamps of failed attempts