AWS Database Blog
Configure Kerberos authentication for Amazon RDS for PostgreSQL without joining an Active Directory domain
Organizations that adopt centralized authentication mechanisms gain the following benefits:
- Enhanced security posture: Centralized authentication enables quick addition or removal of user access throughout the network, giving organizations improved security and the ability to respond quickly to security threats.
- Scalability: By controlling access through a centralized database, organizations can scale their network and minimize performance issues.
- Ease of administration: Centralized authentication simplifies the management of network resources, making it more efficient.
The practice of integrating relational database authentication with a centralized authentication service, such as Microsoft Active Directory (Microsoft AD), is a well-established and widely used strategy. Active Directory is a centralized authentication and authorization management service for users, computers and applications. It allows administrators to manage network resources and enforce security policies. Kerberos is a network authentication protocol integrated with Active Directory and allows offloading authentication from the database instance. The burden of account administration is significantly reduced as the database instance only has to handle authorization.
Amazon Relational Database Service (Amazon RDS) for PostgreSQL and Amazon Aurora PostgreSQL-Compatible Edition support external authentication of database users using Kerberos and Microsoft AD. This centralized management of database users and authentication saves you time and effort in managing multiple database instances.
The main reasons to join a client to an active directory domain include security policies, access control and centralized identity management. However, the process of joining a Linux client to active directory is highly technical and complex, making it more effortful compared to a seamless experience with Windows clients. Furthermore, there may be compatibility issues between different Linux distributions and active directory which bring in additional challenges.
However, it’s not a requirement to join the Linux client to an active directory domain to use Kerberos authentication. In this post, we demonstrate how to configure a Linux client outside of active directory domain to connect using Kerberos authentication to an Amazon RDS for PostgreSQL or Amazon Aurora PostgreSQL-Compatible Edition.
Solution overview
The solution uses Amazon RDS for PostgreSQL joined to AWS Managed Microsoft AD and a Linux client. You can apply the same approach to use Amazon Aurora PostgreSQL-Compatible Edition. To allow users in your on-premises AD domain to access Amazon RDS resources in the AWS managed domain, a forest trust relationship must be established between the two domains. This forest trust relationship provides a way for AWS managed domain to grant access to resources based on the authentication within the on-premises AD domain. In our solution, we establish a one-way forest trust between the on-premises domain and the AWS Managed Microsoft AD. A one-way forest trust only enables users from the on-premises AD to access resources in the AWS managed domain, but not vice versa.
For demonstration purposes, we have used an Amazon Elastic Compute Cloud (Amazon EC2) Linux client with psql installed. The EC2 Linux client is used to connect to Amazon RDS for PostgreSQL using Kerberos authentication. The AD domain details are as follows:
- On-premises AD domain –
ONPREM.LOCAL
- AWS Managed AD domain –
AWSPOSTGRESQL.KERBEROS.COM
In this case, users are authenticated by the on-premises domain, whereas Amazon RDS interacts only with the AWS Managed domain.
Prerequisites
Before we start, make sure that you have prepared your on-premises and AWS environments, as shown in the architectural diagram. You must have the following prerequisites:
- An on-premises AD or Windows EC2 server promoted to be our on-premises AD. See Scenario 1: Deploy self-managed AD from the Active Directory Domain Services on AWS guide for an example of self-managed AD deployment.
- An AWS Managed Microsoft AD.
- A one-way or two-way forest trust between the on-premises domain and AWS Managed domain.
- An Amazon RDS for PostgreSQL DB instance joined to the AWS Managed AD.
- A user created in the on-premises AD.
- Familiarity with the psql.
Trust between on-premises AD and AWS Managed Microsoft AD
To implement the solution in this post, you must establish a trust relationship between the on-premises AD domain and the AWS Managed domain to allow on-premises domain users access to Amazon RDS resources. This trust enables AWS Managed domain to grant access to its resources based on the authentication within on-premises domain. For improved security, a one-way trust is recommended unless you have specific business requirements. One-way trust is preferred as it provides better control over access to resources. In this setup, only the on-premises AD domain can access resources in the AWS Managed domain, while AWS managed domain has no access. Refer Preparing on-premises and AWS environments for external Kerberos authentication for Amazon RDS for guidance on how to setup a forest trust between the on-premises domain and AWS Managed domain.
Create Amazon RDS for PostgreSQL instance and join to an AWS Managed Microsoft AD
Refer Using external Kerberos authentication with Amazon RDS for PostgreSQL for guidance to create an Amazon RDS for PostgreSQL instance and joining to an AWS Managed Microsoft AD.
Create user in on-premises AD
Create a user sid@ONPREM.LOCAL
on the on-premises Active Directory. We connect to Amazon RDS for PostgreSQL instance with this user using Kerberos authentication.
Logging in to Amazon RDS for PostgreSQL instances on a Linux platform
You can manage your databases by logging in to your Amazon RDS for PostgreSQL instances on a Linux platform. This section details the steps to configure a Linux client outside of an active directory domain to connect to an Amazon RDS for PostgreSQL using Kerberos authentication.
- Launch an Amazon EC2 Linux 2 instance.
- Connect to the EC2 Linux instance. The choice of connection method will depend on factors such as local computer operating system, security requirements, network infrastructure and user preferences.
- Edit the resolver configuration file located at
/etc/resolv.conf
to include your AD domain to thesearch
directive along with domain for the AWS Region. A search entry defines the list of domains to search when resolving a name. Moreover, include the DNS IP addresses of your AD to thenameserver
directive.
- To make the changes in
resolv.conf
persistent on a reboot, run the following command.
- Verify connectivity. If your DNS servers are configured correctly, the
ping
command resolves the AD domain to an IP address and runs successfully.
- The Kerberos client utility
kinit
is required on the client machine to obtain or renew the Kerberos ticket. Thekinit
utility is available when you install thekrb5-libs
andkrb5-workstation
packages.
- Create a
krb5.conf
file with the following content for an on-premises Microsoft AD. This file contains configuration parameters for the Kerberos 5 library.
- Install the psql client tool to connect to Amazon RDS for PostgreSQL. For compatibility, it’s recommended to keep the psql client version same or higher than the PostgreSQL server version. For this use case, we install psql client version 14.
- Log in to the Amazon RDS for PostgreSQL instance using the primary user account.
- Create the database user
sid@ONPREM.LOCAL
and grant therds_ad
role to this user. Therds_ad
role enables the database user to use Kerberos authentication.
- Create a Kerberos ticket using command
kinit
and provide the password for the AD user.
- You can list the Kerberos tickets in the cache using the command
klist
. The default validity for the Kerberos ticket is 10 hours and you can renew the ticket for 7 days. When the ticket validity period expires, you’ll need to request a new Kerberos ticket.
- Connect to the Amazon RDS for PostgreSQL instance using the Kerberos ticket without specifying a password. We’re using the special endpoint when connecting to an on-premises AD. Instead of using the Amazon domain
rds.amazonaws.com
in the endpoint, use the domain name of the AWS Managed Microsoft AD. You can apply the same approach when connecting to an Amazon Aurora PostgreSQL-Compatible cluster endpoint.
Clean up
If you are testing this solution, complete the following steps to remove resources and avoid charges
- On the Amazon EC2 console, select the Linux EC2 instance, and on the Instance state menu, choose Terminate instance.
- On the Amazon RDS console, select the RDS Postgres instance, and on the Actions menu, choose Delete.
- On the AWS Directory Service console, select the directory, and on the Actions menu, choose Delete directory.
Summary
In this post, we guided you through the process of authenticating database users in Amazon RDS for PostgreSQL using Kerberos authentication with a Linux client outside of an active directory domain. You can apply the same approach to Amazon Aurora PostgreSQL-Compatible Edition. This configuration increases flexibility and reduces complexity for users adopting Kerberos for database authentication.
If you have any comments or questions, share them in the comments section.
About the Author
Sid Vantair is a Solutions Architect with AWS covering Strategic accounts. With over a decade of experience in working with relational databases, he thrives on resolving complex technical issues to overcome customer hurdles. Outside of work, he cherishes spending time with his family and fostering inquisitiveness in his children.