Using AWS IAM Auth Token to connect Liquibase to AWS RDS Databases

Applies to:

AWS provides the ability to generate tokens to authenticate a user to connect to a database. Further information can be found in this article: Using IAM authentication to connect with pgAdmin Amazon Aurora PostgreSQL or Amazon RDS for PostgreSQL.

Liquibase doesn't natively support these tokens in the liquibase.properties file. However, in combination with environment variables, Liquibase can pass along the token as the password for connecting to the target AWS database.

Depending on your platform/pipeline, you will set the environment password variable (LIQUIBASE_COMMAND_PASSWORD), which is the variable that Liquibase can read from during Liquibase operations.
1. Note: If you use the environment variable for the password, do not pass it via the CLI or have the password in the liquibase.properties file.
Below is an example of how this would be on a Linux/Mac platform:
1. ```
export LIQUIBASE_COMMAND_PASSWORD="$(aws rds generate-db-auth-token \
--hostname $RDSHOST \
--port 5432 \
--region us-east-1 \
--username mydbuser)"
```
2. RDSHOST – The hostname of the DB cluster (cluster endpoint) that you want to access.
3. mydbuser – The name of the database account to associate with IAM authentication.
With the AWS CLI, you are able to call generate-db-auth-token to auto-generate a token, which LIQUIBASE_COMMAND_PASSWORD will be set to. This will allow you to connect to an AWS RDS via the token.