django-iam-dbauth

Django IAM database backends

Usage

pip install django-iam-dbauth

In your settings use the following

DATABASES = {
    "default": {
        "HOST": "<hostname>",
        "USER": "<user>",
        "NAME": "<db name>",
        "ENGINE": 'django_iam_dbauth.aws.postgresql',
        "OPTIONS": {
            "use_iam_auth": True,
            "sslmode": "require",   # See discussion on SSL below
            "resolve_cname_enabled": True,
        }
    }
}

SSL and PostgreSQL

When using IAM authentication with RDS, SSL is required. If it's not used, such as when using a CNAME (see below), login will be denied with the below error:

django.db.utils.OperationalError: FATAL:  pg_hba.conf rejects connection for host "1.2.3.4", user "some_user", database "some_database", SSL off

SSL and MySQL

Acquired Token won't work with MySQL if use RDS instance name, which is a CNAME record, as a HOST, because by default it will be resolved to a cannonical name by django-iam-dbauth. As a result the hostname of the token will bi different. To prevent the module from resolving CNAME, set "resolve_cname_enabled" to False.

CNAME considerations

Currently, IAM authentication is not supported with CNAMEs. However, this package does CNAME resolution so that the signed request for a password will work. The issue with this approach is that from the DB library's point of view, the connection is initiated to the hostname as defined in the settings. If using SSL, certificate verification will fail. In this case, for PostgreSQL you may want to set sslmode to require or verify-ca.

Further documentation:

• PostgreSQL SSL modes
• AWS guide on IAM DB authentication