OpenMetadata/openmetadata-docs/content/v1.7.x/deployment/iam-auth.md

---
title: How to enable AWS RDS IAM Auth  | Official Documentation
description: Learn how to securely connect OpenMetadata to AWS RDS using IAM authentication with correct environment variables and configuration best practices.
slug: /deployment/rds-iam-auth
collate: false
---

# Aws resources on RDS IAM Auth
[AWS Reference Doc](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html)

# Requirements

1. AWS RDS Cluster with IAM auth enabled
2. User on DB Cluster with IAM enabled
3. IAM policy with permission on RDS connect
4. Role with IAM policy attached
5. IAM role attached to an EC2 instance on which openmetadata is deployed or ServiceAccount/Kube2Iam role attached to pod.

# How to enable ADS RDS IAM Auth on postgresql

Set the environment variables

```Commandline
  DB_USER_PASSWORD: "dummy"
  DB_PARAMS: "awsRegion=eu-west-1&allowPublicKeyRetrieval=true&sslmode=require&serverTimezone=UTC"
```

Either through helm (if deployed in kubernetes) or as env vars.

{% note %}

The `DB_USER_PASSWORD` is still required and cannot be empty. Set it to a random/dummy string.

{% /note %}

{% note %}

When using IAM authentication for AWS RDS, you must still provide a dummy value for the `DB_PASSWORD` environment variable. OpenMetadata automatically handles the IAM credentials internally. Ensure the following parameters are set for successful connection:

- `DB_PARAMS=awsRegion=us-east-1&allowPublicKeyRetrieval=true&serverTimezone=UTC`
- `DB_USE_SSL=true`  

These settings ensure proper token generation and secure communication with the RDS instance.

{% /note %}
MINOR - Prepare 1.3 docs directories (#14357) 2023-12-13 14:03:08 +01:00			`---`
Docs: RDS IAM Auth Updation (#22410) Co-authored-by: “Rounak <“rounakpreet.d@deuexsolutions.com”> 2025-07-17 12:17:51 +05:30			`title: How to enable AWS RDS IAM Auth \| Official Documentation`
			`description: Learn how to securely connect OpenMetadata to AWS RDS using IAM authentication with correct environment variables and configuration best practices.`
MINOR - Prepare 1.3 docs directories (#14357) 2023-12-13 14:03:08 +01:00			`slug: /deployment/rds-iam-auth`
DOCS - OSS deployment is flagged as Collate False (#17722) 2024-09-05 10:30:31 +02:00			`collate: false`
MINOR - Prepare 1.3 docs directories (#14357) 2023-12-13 14:03:08 +01:00			`---`

			`# Aws resources on RDS IAM Auth`
Docs: Hyper Link Insertion (#20748) Co-authored-by: Rounak Dhillon <rounakdhillon@Rounaks-MacBook-Air.local> 2025-04-10 12:41:19 +05:30			`[AWS Reference Doc](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html)`
MINOR - Prepare 1.3 docs directories (#14357) 2023-12-13 14:03:08 +01:00
			`# Requirements`

			`1. AWS RDS Cluster with IAM auth enabled`
			`2. User on DB Cluster with IAM enabled`
			`3. IAM policy with permission on RDS connect`
			`4. Role with IAM policy attached`
			`5. IAM role attached to an EC2 instance on which openmetadata is deployed or ServiceAccount/Kube2Iam role attached to pod.`

			`# How to enable ADS RDS IAM Auth on postgresql`

			`Set the environment variables`

			```Commandline
			`DB_USER_PASSWORD: "dummy"`
			`DB_PARAMS: "awsRegion=eu-west-1&allowPublicKeyRetrieval=true&sslmode=require&serverTimezone=UTC"`
			```

			`Either through helm (if deployed in kubernetes) or as env vars.`

			`{% note %}`

			The `DB_USER_PASSWORD` is still required and cannot be empty. Set it to a random/dummy string.

Docs: Hyper Link Insertion (#20748) Co-authored-by: Rounak Dhillon <rounakdhillon@Rounaks-MacBook-Air.local> 2025-04-10 12:41:19 +05:30			`{% /note %}`
Docs: RDS IAM Auth Updation (#22410) Co-authored-by: “Rounak <“rounakpreet.d@deuexsolutions.com”> 2025-07-17 12:17:51 +05:30
			`{% note %}`

			When using IAM authentication for AWS RDS, you must still provide a dummy value for the `DB_PASSWORD` environment variable. OpenMetadata automatically handles the IAM credentials internally. Ensure the following parameters are set for successful connection:

			- `DB_PARAMS=awsRegion=us-east-1&allowPublicKeyRetrieval=true&serverTimezone=UTC`
			- `DB_USE_SSL=true`

			`These settings ensure proper token generation and secure communication with the RDS instance.`

			`{% /note %}`