Skip to content

Replace RDS password-based authentication with IAM role authentication #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Replace RDS password-based authentication with IAM role authentication #462

wants to merge 1 commit into from

Conversation

lukeina2z
Copy link
Contributor

@lukeina2z lukeina2z commented Sep 26, 2025
edited
Loading

Issue description:
MySQL user password is used to connect to MySQL hosted on AWS RDS.

Description of changes:

  • Updated Python Django app to use IAM role auth instead of base64 decoded password
  • Updated Java Spring Boot app to use IAM role auth with useAWSIam=true parameter
  • Updated Node.js app to use IAM role auth with SSL configuration
  • Removed RDS_MYSQL_CLUSTER_PASSWORD environment variables from all Terraform configurations
  • Removed password-related variables from Terraform variable files

Removed the RDS database connection string environment variable from the Java sample app. Now all sample apps behave consistently; They use the same four environment variables to connect to MySQL without requiring a MySQL user password.

AWS_REGION
RDS_MYSQL_CLUSTER_ENDPOINT
RDS_MYSQL_CLUSTER_DATABASE
RDS_MYSQL_CLUSTER_USERNAME

Rollback procedure:
Revert this PR, rebuild and redeploy these testing apps.

<Can we safely revert this commit if needed? If not, detail what must be done to safely revert and why it is needed.>
Yes.

Ensure you've run the following tests on your changes and include the link below:

To do so, create a test.yml file with name: Test and workflow description to test your changes, then remove the file for your PR. Link your test run in your PR description. This process is a short term solution while we work on creating a staging environment for testing.

NOTE: TESTS RUNNING ON A SINGLE EKS CLUSTER CANNOT BE RUN IN PARALLEL. See the needs keyword to run tests in succession.

  • Run Java EKS on e2e-playground in us-east-1 and eu-central-2
  • Run Python EKS on e2e-playground in us-east-1 and eu-central-2
  • Run metric limiter on EKS cluster e2e-playground in us-east-1 and eu-central-2
  • Run EC2 tests in all regions
  • Run K8s on a separate K8s cluster (check IAD test account for master node endpoints; these will change as we create and destroy clusters for OS patching)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@lukeina2z
Replace RDS password-based authentication with IAM role authentication
4dffcbb 
Updated Python Django app to use IAM role auth instead of base64 decoded password
Updated Java Spring Boot app to use IAM role auth with useAWSIam=true parameter
Updated Node.js app to use IAM role auth with SSL configuration
Removed RDS_MYSQL_CLUSTER_PASSWORD environment variables from all Terraform configurations
Removed password-related variables from Terraform variable files
All applications now use IAM role authentication for RDS connections
@lukeina2z lukeina2z changed the title [WIP] Replace RDS password-based authentication with IAM role authentication Replace RDS password-based authentication with IAM role authentication Sep 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@majanjua-amzn majanjua-amzn Awaiting requested review from majanjua-amzn

@Jeel-mehta Jeel-mehta Awaiting requested review from Jeel-mehta

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lukeina2z