Skip to content

Use AWS RDS IAM secrets from duckdb-aws#467

Merged
staticlibs merged 1 commit into
duckdb:mainfrom
staticlibs:aws_secret
May 11, 2026
Merged

Use AWS RDS IAM secrets from duckdb-aws#467
staticlibs merged 1 commit into
duckdb:mainfrom
staticlibs:aws_secret

Conversation

@staticlibs
Copy link
Copy Markdown
Member

@staticlibs staticlibs commented May 10, 2026

This PR builds on top of the following PR in duckdb-aws:

With the RDS IAM token generation done in duckdb-aws, now two secrets
are required for IAM auth:

  1. secret of type rds that contains all the details used to generate the IAM token
  2. secret of type postgres that contains all other connection details except the IAM token; the rds secret name is specified in this secret

Example:

LOAD aws;
LOAD postgres;

CREATE SECRET aws_rds_secret1 (
  TYPE rds,
  PROVIDER credential_chain,
  PROFILE 'DatabaseAdministrator-<account_id>',
  CHAIN 'env;sso;',
  REGION 'eu-west-1',
  RDS_USER 'postgres',
  RDS_HOST 'database-1-instance-1.xxxxxxxxxxxx.eu-west-1.rds.amazonaws.com',
  RDS_PORT '5432'
);

CREATE SECRET pg_rds_secret1 (
  TYPE postgres,
  HOST 'database-1-instance-1.xxxxxxxxxxxx.eu-west-1.rds.amazonaws.com',
  PORT '5432',
  USER 'postgres',
  DATABASE 'postgres',
  SSLMODE require,
  AWS_RDS_SECRET aws_rds_secret1
);

Testing: tested locally with Aurora using both sso and env providers.

Ref: #464

@staticlibs staticlibs mentioned this pull request May 10, 2026
Closed
2 tasks
@staticlibs
Use AWS RDS IAM secrets from duckdb-aws
3c46f11 
This PR builds on top of the following PR in duckdb-aws:

 - duckdb/duckdb-aws#144

 With the RDS IAM token generation done in `duckdb-aws`, now two secrets
 are required for IAM auth:

 1. secret of type `rds` that contains all the details used to generate
   the IAM token
 2. secret of type `postgres` that contains all other connection details
   except the IAM token; the `rds` secret name is specified in this
   secret

Example:

```sql
LOAD aws;
LOAD postgres;

CREATE SECRET aws_rds_secret1 (
  TYPE rds,
  PROVIDER credential_chain,
  PROFILE 'DatabaseAdministrator-<account_id>',
  CHAIN 'env;sso;',
  REGION 'eu-west-1',
  RDS_USER 'postgres',
  RDS_HOST 'database-1-instance-1.xxxxxxxxxxxx.eu-west-1.rds.amazonaws.com',
  RDS_PORT '5432'
);

CREATE SECRET pg_rds_secret1 (
  TYPE postgres,
  HOST 'database-1-instance-1.xxxxxxxxxxxx.eu-west-1.rds.amazonaws.com',
  PORT '5432',
  USER 'postgres',
  DATABASE 'postgres',
  SSLMODE require,
  AWS_RDS_SECRET aws_rds_secret1
);
```

Testing: tested locally with Aurora using both `sso` and `env`
providers.

Ref: duckdb#464
@staticlibs staticlibs merged commit 4e14d2e into duckdb:main May 11, 2026
7 checks passed
@staticlibs staticlibs deleted the aws_secret branch May 11, 2026 09:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@staticlibs