Does this module support the use case of enabling individual user authentication via IAM roles?

[deinspanjer]

Is your request related to a new offering from AWS?

Not a new offering, unsure if the desired feature is supported by the current module and dependencies.

Is your request related to a problem? Please describe.

Not a problem specific to the module. Need clarification if the module supports my use case.

Describe the solution you'd like.

Ideally, a solution that allows assigning a policy to an AWS SSO role that allows users to authenticate to a database using individual credentials without having to maintain a separate password.

If it isn't feasible to implement the solution with individual database user accounts, then using a shared account on the DB side as long as there is an audit trail back to the user who assumed the role and connected to the proxy.

A hypothetical deployment might look like this:

1. have an Aurora Postgres cluster configured without IAM authentication enabled
2. create a pg user with the appropriate permissions for a dev to have for that environment
3. set this tf module up to create an RDS Proxy that authenticates clients connecting to it with a specific IAM role and if they have the role, connect to the database using the pg user from #2
4. create a policy that grants the ability to assume the role from #3 to any AWS SSO user that has a particular group or tag

Describe alternatives you've considered.

Standard AWS help docs on IAMDBAuth don't really touch on using an SSO assumed role, just plain static IAM accounts. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html#UsingWithRDS.IAMDBAuth.DBAccounts.PostgreSQL

This sample seems to be a good fit, but it is using CloudFormation and Lambdas that complicate matters. https://github.com/aws-samples/sso-sync-to-amazon-rds

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.