问题
I know that with Amazon Aurora MySQL, we can authenticate to the DB instance or DB cluster using AWS IAM database authentication. I followed the instructions here and It is working as instructed. However, this solution still needs the AWS credentials to be stored on the EC2 instance. I thought the whole purpose of this is to use the IAM roles to manage temporary credentials for applications running on an EC2 instance, so that we do not have to distribute long-term credentials (such as a user name and password or access keys) to an EC2 instance. Is there any way to connect to Amazon Aurora MySQL with an IAM role which does not need the AWS credentials to be directly stored within the EC2 instance?
Here are some screenshots:
~/.aws/credentials:
Can connect to the DB instance:
Comment the aws credentials:
Now can't connect to the DB instance:
Here is the policies attached to the EC2 Role:
And, here is the policy "AmazonAuroraDBConnectAccess":
The username is created by:
create user usuarioiam IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';
Also ran aws sts get-caller-identity. The expected IAM EC2 role is being used:
来源:https://stackoverflow.com/questions/51447319/connecting-to-amazon-aurora-with-aws-iam-db-authentication