AWS IAM authentication
NPSaaS now supports AWS IAM authentication from NPS version 11.2.2.11 onwards. For authenticating with IAM users, you need ACCESS-KEY
and SECRET-ACCESS-KEY
associated with your AWS account. Refer to create/manage AWS access keys for details.
Set your authentication method to AWS IAM with the REGISTER EXTERNAL AUTHENTICATION SYSTEM
SQL statement.
Before you begin
Make sure AWS IAM user has following minimal permissions on AWS side:
- ListAccessKeys
- GetUser
- ListGroupsForUser
- ListMFADevices
Enabling AWS IAM authentication
You can use two methods for enabling AWS IAM authentication. :
Enabling AWS IAM authentication only needs to be done once.
Enabling AWS IAM authentication through web console
-
Log in to the web console as a user who is part of an administrative group.
-
Go to the Query editor.
-
Register an AWS IAM external authentication system.
REGISTER EXTERNAL AUTHENTICATION SYSTEM 'AWSIAM';
-
Create a user or users with the external authentication method set to AWS IAM as described in Creating users.
-
Verify whether the user was created successfully.
- Go to Users and groups > Users.
- Locate the user.
- Check the Authentication type section for the user.
Enabling AWS IAM authentication from command-line
-
Connect to NPSaaS as a user who is part of the administrative group.
In the example, the 'nzsql' command is used. You can also use the ODBC or JDBC drivers.
nzsql -host <nps_hostname> -u admin -pw XXXXX
Example Input Description nps_hostname Specifies the IP address of your instance.
To retrieveNPS HOSTNAME
:- Log in to your IBM Cloud account.
- Go to Private endpoints > Service instance details.
- Select your instance.
Your instance IP address appears on the page now.
user Specifies the username. password Specifies the password. -
As an admin, set up the
AWSIAM
external authentication system for initial registration only.REGISTER EXTERNAL AUTHENTICATION SYSTEM 'AWSIAM';
-
Create a user or users with the external authentication method set to
AWSIAM
.CREATE USER <USERNAME> AUTH EXTERNAL 'AWSIAM';
Example:
CREATE USER AWSUSER AUTH EXTERNAL 'AWSIAM';
Disabling AWS IAM authentication
Run the following query to disable AWS IAM external authentication system from web console or nzsql
client or any client of your choice.
DEREGISTER EXTERNAL AUTHENTICATION SYSTEM 'AWSIAM';
Limitations
- AWS IAM authentication does not work for federated IAM users or where session token is also required for authentication.