I would suggest going for Vault/Secrets manager.
Using IAM can lock you to use only RDS.
For a case where you're using hybrid/multi-cloud infrastructure, IAM won't fit in.
Or if you're completely on AWS, there have been cases where organisations jump back to Postgres on EC2 from RDS for costs and performance reason. At least no change of code is required in case of Vault/Secrets manager.
Using secrets manager over vault also has some advantages, like managing 1 or maybe 2(in case you're using some unmanaged service as vault backend) less components in your infrastructure. But again secrets manager isn't a good option if you're using multi-cloud/hybrid infrastructure.
Using IAM can lock you to use only RDS.
For a case where you're using hybrid/multi-cloud infrastructure, IAM won't fit in.
Or if you're completely on AWS, there have been cases where organisations jump back to Postgres on EC2 from RDS for costs and performance reason. At least no change of code is required in case of Vault/Secrets manager.
Using secrets manager over vault also has some advantages, like managing 1 or maybe 2(in case you're using some unmanaged service as vault backend) less components in your infrastructure. But again secrets manager isn't a good option if you're using multi-cloud/hybrid infrastructure.
Happy to help :)
Prince Pathria
Systems Engineer
Evive
+91 9478670472
goevive.com
On Tue, Apr 7, 2020 at 12:13 PM Toomas Kristin <toomas.kristin@xxxxxxxxx> wrote:
Hi,
I hope you all are well. Basically I am considering to implement a centralised authentication solution for AWS/RDS/PostgreSQL. Last two options on table are Vault and IAM. Have you made any similar decision and can you share your experience?
BR,
Toomas
