Search code examples
amazon-web-servicesamazon-rdsamazon-iamaws-aurora-serverlessaws-rds-data-service

Passing in IAM credentials when using the Aurora Serverless Data API?


I am trying to figure out how to pass in static IAM AWS credentials when using the AWS Data API to interact with an Aurora Serverless db.

I am using the AWS Python Boto library and I read data from a table like this (which by default uses the credentials of the default IAM user that is defined in my ~/.aws/credentials file):

rds_client = boto3.client('rds-data')
rds_client.execute_statement(
        secretArn=self.db_credentials_secrets_store_arn,
        database=self.database_name,
        resourceArn=self.db_cluster_arn,
        sql='SELECT * FROM TestTable;',
        parameters=[])

This works successfully.

But I want to be able to pass in an AWS Access Key and Secret Key as parameters to the execute_statement call, something like:

rds_client.execute_statement(
        accessKey='XXX',
        secretKey='YYY',
        secretArn=self.db_credentials_secrets_store_arn,
        database=self.database_name,
        resourceArn=self.db_cluster_arn,
        sql='SELECT * FROM TestTable;',
        parameters=[])

But that does not work.

Any ideas on how I can achieve this?

Thanks!


Solution

  • In order to accomplish this, you will need to create a new function that takes the access key and the secret key, create a client for that user, then make the call.

    def execute_statement_with_iam_user(accessKey, secretKey):
        rds_client = boto3.client(
            'rds',
            aws_access_key_id=accessKey,
            aws_secret_access_key=secretKey
        )
        rds_client.execute_statement(
                secretArn=self.db_credentials_secrets_store_arn,
                database=self.database_name,
                resourceArn=self.db_cluster_arn,
                sql='SELECT * FROM TestTable;',
                parameters=[])
    
    execute_statement_with_iam_user(accessKey, secretkey)
    

    FYI, AWS does not recommend hard coding your credentials like this. What you should be doing is assuming a role with a temporary session. For this, you would need to look into the sts client and creating roles for assumption.