AWS Aurora Serverless v2 IAM login with aws:SourceIp not working

Question

I am trying to configure ip access restrictions to my public aurora serverless v2 cluster with IAM authentication (postgres).

After applying the policy below, I cannot connect to the cluster with the generated token.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "rds-db:connect"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "123.241.200.168/32"
                    ]
                }
            },
            "Effect": "Allow",
            "Resource": [
                "arn:aws:rds-db:eu-central-1:7777777836:dbuser:cluster-QQQIDWE6WQ/client01"
            ]
        }
    ]
}

After switching the condition to "IpAddressIfExists" it allows me to connect from any address so I assume that there is no address available on connect. Is it possible to configure ip restrictions on the account level?

Answer 1

So it looks like the only way to achieve what I want is to:

1. create role with rds-db:connect permissions on postgres user
2. add trust policy with sts:AssumeRole limited to IP address
3. assign role to user
4. generate token from role assigned to user

Access to database is not limited to IP so if someone retrieve token from user then will be able to connect, but tokens are valid for 15 minutes by default so it fulfils my requiments.

Thank you @rowanu for answer it helped me a lot.