Skip to content

AWS IAM based authentication (RDS / Aurora) support #2034

New issue
New issue
Open
Open
AWS IAM based authentication (RDS / Aurora) support#2034
Labels
enhancementNew feature or request
@andreleoni

Description

@andreleoni
andreleoni
opened on Dec 12, 2025

Is your feature request related to a problem? Please describe.

Currently, Tortoise-ORM does not support AWS IAM–based authentication for database connections (e.g. Amazon RDS or Aurora).
This forces applications running on AWS (ECS, EKS, Lambda, EC2) to rely on static database passwords stored in environment variables or secret managers.

This is problematic for security-sensitive environments where:

  • Password rotation is required
  • Long-lived credentials are discouraged
  • IAM-based authentication is the recommended AWS best practice
  • Other ORMs/drivers in the ecosystem already support IAM auth via token-based connections, but Tortoise-ORM currently lacks a native or first-class solution.

Describe the solution you'd like

Add native support for AWS IAM authentication in Tortoise-ORM database backends (PostgreSQL and MySQL), allowing connections using short-lived IAM tokens instead of static passwords.

Ideally, this would include:

  • An optional iam_auth or similar flag in the DB config
  • Automatic generation and refresh of IAM auth tokens using boto3
  • Compatibility with async drivers (asyncpg, aiomysql)
  • Support for common AWS environments (ECS, EKS, Lambda, EC2 with IAM roles)

Describe alternatives you've considered

Generating IAM tokens manually with boto3 and injecting them as passwords, which is fragile and hard to maintain

  • Wrapping the database driver directly, bypassing Tortoise-ORM abstractions
  • Falling back to static credentials stored in Secrets Manager or environment variables
  • Using other ORMs or lower-level drivers that already support IAM auth
  • All of these either add operational complexity or defeat the purpose of using Tortoise-ORM as a high-level async ORM.

Additional context

AWS strongly recommends IAM authentication for RDS/Aurora in production environments

  • IAM tokens are valid for only 15 minutes, so transparent refresh is essential
  • This feature would significantly improve Tortoise-ORM adoption in AWS-native architectures
  • Similar functionality exists in other ecosystems (e.g. SQLAlchemy with custom auth, direct asyncpg usage)
  • If helpful, I’m willing to assist with design discussion, testing, or documentation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions