pip install django-iam-dbauthIn your settings use the following
DATABASES = {
"default": {
"HOST": "<hostname>",
"USER": "<user>",
"NAME": "<db name>",
"ENGINE": 'django_iam_dbauth.aws.postgresql',
"OPTIONS": {
"use_iam_auth": True,
"sslmode": "require", # See discussion on SSL below
"resolve_cname_enabled": True,
}
}
}When using IAM authentication with RDS, SSL is required. If it's not used, such as when using a CNAME (see below), login will be denied with the below error:
django.db.utils.OperationalError: FATAL: pg_hba.conf rejects connection for host "1.2.3.4", user "some_user", database "some_database", SSL off
Acquired Token won't work with MySQL if use RDS instance name, which is a CNAME record, as a HOST, because by default it will be resolved to a cannonical name by django-iam-dbauth. As a result the hostname of the token will bi different. To prevent the module from resolving CNAME, set "resolve_cname_enabled" to False.
Currently, IAM authentication is not supported with CNAMEs. However, this package does CNAME resolution so that the
signed request for a password will work. The issue with this approach is that from the DB library's point of view, the
connection is initiated to the hostname as defined in the settings. If using SSL, certificate verification will fail.
In this case, for PostgreSQL you may want to set sslmode to require or verify-ca.
Further documentation: