IBM Cloud Docs
AWS IAM authentication

AWS IAM authentication

NPSaaS now supports AWS IAM authentication from NPS version 11.2.2.11 onwards. For authenticating with IAM users, you need ACCESS-KEY and SECRET-ACCESS-KEY associated with your AWS account. Refer to create/manage AWS access keys for details.

Set your authentication method to AWS IAM with the REGISTER EXTERNAL AUTHENTICATION SYSTEM SQL statement.

Before you begin

Make sure AWS IAM user has following minimal permissions on AWS side:

  • ListAccessKeys
  • GetUser
  • ListGroupsForUser
  • ListMFADevices

Enabling AWS IAM authentication

You can use two methods for enabling AWS IAM authentication. :

Enabling AWS IAM authentication only needs to be done once.

Enabling AWS IAM authentication through web console

  1. Log in to the web console as a user who is part of an administrative group.

  2. Go to the Query editor.

  3. Register an AWS IAM external authentication system.

    REGISTER EXTERNAL AUTHENTICATION SYSTEM 'AWSIAM';
    
  4. Create a user or users with the external authentication method set to AWS IAM as described in Creating users.

  5. Verify whether the user was created successfully.

    1. Go to Users and groups > Users.
    2. Locate the user.
    3. Check the Authentication type section for the user.

Enabling AWS IAM authentication from command-line

  1. Connect to NPSaaS as a user who is part of the administrative group.

    In the example, the 'nzsql' command is used. You can also use the ODBC or JDBC drivers.

    nzsql -host <nps_hostname> -u admin -pw XXXXX
    
    Example
    Input Description
    nps_hostname

    Specifies the IP address of your instance.
    To retrieve NPS HOSTNAME:

    1. Log in to your IBM Cloud account.
    2. Go to Private endpoints > Service instance details.
    3. Select your instance.
      Your instance IP address appears on the page now.
    user Specifies the username.
    password Specifies the password.
  2. As an admin, set up the AWSIAM external authentication system for initial registration only.

    REGISTER EXTERNAL AUTHENTICATION SYSTEM 'AWSIAM';
    
  3. Create a user or users with the external authentication method set to AWSIAM.

    CREATE USER <USERNAME> AUTH EXTERNAL 'AWSIAM';
    

    Example:

    CREATE USER AWSUSER AUTH EXTERNAL 'AWSIAM';
    

Disabling AWS IAM authentication

Run the following query to disable AWS IAM external authentication system from web console or nzsql client or any client of your choice.

DEREGISTER EXTERNAL AUTHENTICATION SYSTEM 'AWSIAM';

Limitations

  • AWS IAM authentication does not work for federated IAM users or where session token is also required for authentication.