feat(client-rds): Adds support for end-to-end IAM authentication in RDS Proxy for MySQL, MariaDB, and PostgreSQL engines.

awstools · awstools · commit 31a353441257 · 2025-09-11T18:11:56.000Z
diff --git a/clients/client-rds/src/commands/CreateDBProxyCommand.ts b/clients/client-rds/src/commands/CreateDBProxyCommand.ts
@@ -38,7 +38,8 @@ export interface CreateDBProxyCommandOutput extends CreateDBProxyResponse, __Met
  * const input = { // CreateDBProxyRequest
  *   DBProxyName: "STRING_VALUE", // required
  *   EngineFamily: "MYSQL" || "POSTGRESQL" || "SQLSERVER", // required
- *   Auth: [ // UserAuthConfigList // required
+ *   DefaultAuthScheme: "IAM_AUTH" || "NONE",
+ *   Auth: [ // UserAuthConfigList
  *     { // UserAuthConfig
  *       Description: "STRING_VALUE",
  *       UserName: "STRING_VALUE",
@@ -82,6 +83,7 @@ export interface CreateDBProxyCommandOutput extends CreateDBProxyResponse, __Met
  * //     VpcSubnetIds: [
  * //       "STRING_VALUE",
  * //     ],
+ * //     DefaultAuthScheme: "STRING_VALUE",
  * //     Auth: [ // UserAuthConfigInfoList
  * //       { // UserAuthConfigInfo
  * //         Description: "STRING_VALUE",
diff --git a/clients/client-rds/src/commands/DeleteDBProxyCommand.ts b/clients/client-rds/src/commands/DeleteDBProxyCommand.ts
@@ -53,6 +53,7 @@ export interface DeleteDBProxyCommandOutput extends DeleteDBProxyResponse, __Met
  * //     VpcSubnetIds: [
  * //       "STRING_VALUE",
  * //     ],
+ * //     DefaultAuthScheme: "STRING_VALUE",
  * //     Auth: [ // UserAuthConfigInfoList
  * //       { // UserAuthConfigInfo
  * //         Description: "STRING_VALUE",
diff --git a/clients/client-rds/src/commands/DeleteGlobalClusterCommand.ts b/clients/client-rds/src/commands/DeleteGlobalClusterCommand.ts
@@ -5,7 +5,8 @@ import { Command as $Command } from "@smithy/smithy-client";
 import { MetadataBearer as __MetadataBearer } from "@smithy/types";
 
 import { commonParams } from "../endpoint/EndpointParameters";
-import { DeleteGlobalClusterMessage, DeleteGlobalClusterResult } from "../models/models_0";
+import { DeleteGlobalClusterMessage } from "../models/models_0";
+import { DeleteGlobalClusterResult } from "../models/models_1";
 import { de_DeleteGlobalClusterCommand, se_DeleteGlobalClusterCommand } from "../protocols/Aws_query";
 import { RDSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../RDSClient";
 
diff --git a/clients/client-rds/src/commands/DescribeDBProxiesCommand.ts b/clients/client-rds/src/commands/DescribeDBProxiesCommand.ts
@@ -64,6 +64,7 @@ export interface DescribeDBProxiesCommandOutput extends DescribeDBProxiesRespons
  * //       VpcSubnetIds: [
  * //         "STRING_VALUE",
  * //       ],
+ * //       DefaultAuthScheme: "STRING_VALUE",
  * //       Auth: [ // UserAuthConfigInfoList
  * //         { // UserAuthConfigInfo
  * //           Description: "STRING_VALUE",
diff --git a/clients/client-rds/src/commands/ModifyDBProxyCommand.ts b/clients/client-rds/src/commands/ModifyDBProxyCommand.ts
@@ -38,6 +38,7 @@ export interface ModifyDBProxyCommandOutput extends ModifyDBProxyResponse, __Met
  * const input = { // ModifyDBProxyRequest
  *   DBProxyName: "STRING_VALUE", // required
  *   NewDBProxyName: "STRING_VALUE",
+ *   DefaultAuthScheme: "IAM_AUTH" || "NONE",
  *   Auth: [ // UserAuthConfigList
  *     { // UserAuthConfig
  *       Description: "STRING_VALUE",
@@ -71,6 +72,7 @@ export interface ModifyDBProxyCommandOutput extends ModifyDBProxyResponse, __Met
  * //     VpcSubnetIds: [
  * //       "STRING_VALUE",
  * //     ],
+ * //     DefaultAuthScheme: "STRING_VALUE",
  * //     Auth: [ // UserAuthConfigInfoList
  * //       { // UserAuthConfigInfo
  * //         Description: "STRING_VALUE",
diff --git a/clients/client-rds/src/models/models_0.ts b/clients/client-rds/src/models/models_0.ts
@@ -11177,6 +11177,20 @@ export interface UserAuthConfig {
   ClientPasswordAuthType?: ClientPasswordAuthType | undefined;
 }
 
+/**
+ * @public
+ * @enum
+ */
+export const DefaultAuthScheme = {
+  IAM_AUTH: "IAM_AUTH",
+  NONE: "NONE",
+} as const;
+
+/**
+ * @public
+ */
+export type DefaultAuthScheme = (typeof DefaultAuthScheme)[keyof typeof DefaultAuthScheme];
+
 /**
  * @public
  * @enum
@@ -11242,11 +11256,21 @@ export interface CreateDBProxyRequest {
    */
   EngineFamily: EngineFamily | undefined;
 
+  /**
+   * <p>The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database.
+   *             Valid values are <code>NONE</code> and <code>IAM_AUTH</code>.
+   *             When set to <code>IAM_AUTH</code>, the proxy uses end-to-end IAM authentication to connect to the database.
+   *             If you don't specify <code>DefaultAuthScheme</code> or specify this parameter
+   *             as <code>NONE</code>, you must specify the <code>Auth</code> option.</p>
+   * @public
+   */
+  DefaultAuthScheme?: DefaultAuthScheme | undefined;
+
   /**
    * <p>The authorization mechanism that the proxy uses.</p>
    * @public
    */
-  Auth: UserAuthConfig[] | undefined;
+  Auth?: UserAuthConfig[] | undefined;
 
   /**
    * <p>The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in Amazon Web Services Secrets Manager.</p>
@@ -11474,6 +11498,15 @@ export interface DBProxy {
    */
   VpcSubnetIds?: string[] | undefined;
 
+  /**
+   * <p>The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database.
+   *             Valid values are <code>NONE</code> and <code>IAM_AUTH</code>.
+   *             When set to <code>IAM_AUTH</code>, the proxy uses end-to-end IAM authentication to connect to the database.
+   *         </p>
+   * @public
+   */
+  DefaultAuthScheme?: string | undefined;
+
   /**
    * <p>One or more data structures specifying the authorization mechanism to connect to the associated RDS DB instance
    *         or Aurora DB cluster.</p>
@@ -15080,17 +15113,6 @@ export interface DeleteGlobalClusterMessage {
   GlobalClusterIdentifier: string | undefined;
 }
 
-/**
- * @public
- */
-export interface DeleteGlobalClusterResult {
-  /**
-   * <p>A data type representing an Aurora global database.</p>
-   * @public
-   */
-  GlobalCluster?: GlobalCluster | undefined;
-}
-
 /**
  * @internal
  */
diff --git a/clients/client-rds/src/models/models_1.ts b/clients/client-rds/src/models/models_1.ts
@@ -25,6 +25,7 @@ import {
   DBShardGroup,
   DBSnapshot,
   DBSubnetGroup,
+  DefaultAuthScheme,
   EventSubscription,
   ExportSourceType,
   ExportTask,
@@ -47,6 +48,17 @@ import {
 
 import { RDSServiceException as __BaseException } from "./RDSServiceException";
 
+/**
+ * @public
+ */
+export interface DeleteGlobalClusterResult {
+  /**
+   * <p>A data type representing an Aurora global database.</p>
+   * @public
+   */
+  GlobalCluster?: GlobalCluster | undefined;
+}
+
 /**
  * @public
  */
@@ -9948,6 +9960,14 @@ export interface ModifyDBProxyRequest {
    */
   NewDBProxyName?: string | undefined;
 
+  /**
+   * <p>The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database.
+   *             Valid values are <code>NONE</code> and <code>IAM_AUTH</code>.
+   *             When set to <code>IAM_AUTH</code>, the proxy uses end-to-end IAM authentication to connect to the database.</p>
+   * @public
+   */
+  DefaultAuthScheme?: DefaultAuthScheme | undefined;
+
   /**
    * <p>The new authentication settings for the <code>DBProxy</code>.</p>
    * @public
diff --git a/clients/client-rds/src/protocols/Aws_query.ts b/clients/client-rds/src/protocols/Aws_query.ts
@@ -720,7 +720,6 @@ import {
   DeleteEventSubscriptionMessage,
   DeleteEventSubscriptionResult,
   DeleteGlobalClusterMessage,
-  DeleteGlobalClusterResult,
   DomainMembership,
   DomainNotFoundFault,
   Ec2ImagePropertiesNotSupportedFault,
@@ -868,6 +867,7 @@ import {
   DBSnapshotTenantDatabasesMessage,
   DBSubnetGroupMessage,
   DBUpgradeDependencyFailureFault,
+  DeleteGlobalClusterResult,
   DeleteIntegrationMessage,
   DeleteOptionGroupMessage,
   DeleteTenantDatabaseMessage,
@@ -11234,6 +11234,9 @@ const se_CreateDBProxyRequest = (input: CreateDBProxyRequest, context: __SerdeCo
   if (input[_EF] != null) {
     entries[_EF] = input[_EF];
   }
+  if (input[_DAS] != null) {
+    entries[_DAS] = input[_DAS];
+  }
   if (input[_Au] != null) {
     const memberEntries = se_UserAuthConfigList(input[_Au], context);
     if (input[_Au]?.length === 0) {
@@ -14225,6 +14228,9 @@ const se_ModifyDBProxyRequest = (input: ModifyDBProxyRequest, context: __SerdeCo
   if (input[_NDBPN] != null) {
     entries[_NDBPN] = input[_NDBPN];
   }
+  if (input[_DAS] != null) {
+    entries[_DAS] = input[_DAS];
+  }
   if (input[_Au] != null) {
     const memberEntries = se_UserAuthConfigList(input[_Au], context);
     if (input[_Au]?.length === 0) {
@@ -19505,6 +19511,9 @@ const de_DBProxy = (output: any, context: __SerdeContext): DBProxy => {
   } else if (output[_VSI] != null && output[_VSI][_me] != null) {
     contents[_VSI] = de_StringList(__getArrayIfSingleItem(output[_VSI][_me]), context);
   }
+  if (output[_DAS] != null) {
+    contents[_DAS] = __expectString(output[_DAS]);
+  }
   if (output.Auth === "") {
     contents[_Au] = [];
   } else if (output[_Au] != null && output[_Au][_me] != null) {
@@ -25428,6 +25437,7 @@ const _Cer = "Certificate";
 const _D = "Description";
 const _DAA = "DescribeAccountAttributes";
 const _DAB = "DeleteAutomatedBackups";
+const _DAS = "DefaultAuthScheme";
 const _DASA = "DomainAuthSecretArn";
 const _DBC = "DBCluster";
 const _DBCA = "DBClusterArn";
diff --git a/codegen/sdk-codegen/aws-models/rds.json b/codegen/sdk-codegen/aws-models/rds.json
@@ -5949,12 +5949,16 @@
             "smithy.api#required": {}
           }
         },
+        "DefaultAuthScheme": {
+          "target": "com.amazonaws.rds#DefaultAuthScheme",
+          "traits": {
+            "smithy.api#documentation": "<p>The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. \n            Valid values are <code>NONE</code> and <code>IAM_AUTH</code>. \n            When set to <code>IAM_AUTH</code>, the proxy uses end-to-end IAM authentication to connect to the database. \n            If you don't specify <code>DefaultAuthScheme</code> or specify this parameter \n            as <code>NONE</code>, you must specify the <code>Auth</code> option.</p>"
+          }
+        },
         "Auth": {
           "target": "com.amazonaws.rds#UserAuthConfigList",
           "traits": {
-            "smithy.api#clientOptional": {},
-            "smithy.api#documentation": "<p>The authorization mechanism that the proxy uses.</p>",
-            "smithy.api#required": {}
+            "smithy.api#documentation": "<p>The authorization mechanism that the proxy uses.</p>"
           }
         },
         "RoleArn": {
@@ -10329,6 +10333,12 @@
             "smithy.api#documentation": "<p>The EC2 subnet IDs for the proxy.</p>"
           }
         },
+        "DefaultAuthScheme": {
+          "target": "com.amazonaws.rds#String",
+          "traits": {
+            "smithy.api#documentation": "<p>The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. \n            Valid values are <code>NONE</code> and <code>IAM_AUTH</code>. \n            When set to <code>IAM_AUTH</code>, the proxy uses end-to-end IAM authentication to connect to the database. \n        </p>"
+          }
+        },
         "Auth": {
           "target": "com.amazonaws.rds#UserAuthConfigInfoList",
           "traits": {
@@ -12068,6 +12078,23 @@
         }
       }
     },
+    "com.amazonaws.rds#DefaultAuthScheme": {
+      "type": "enum",
+      "members": {
+        "IAM_AUTH": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "IAM_AUTH"
+          }
+        },
+        "NONE": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "NONE"
+          }
+        }
+      }
+    },
     "com.amazonaws.rds#DeleteBlueGreenDeployment": {
       "type": "operation",
       "input": {
@@ -22961,6 +22988,12 @@
             "smithy.api#documentation": "<p>The new identifier for the <code>DBProxy</code>. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens.</p>"
           }
         },
+        "DefaultAuthScheme": {
+          "target": "com.amazonaws.rds#DefaultAuthScheme",
+          "traits": {
+            "smithy.api#documentation": "<p>The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. \n            Valid values are <code>NONE</code> and <code>IAM_AUTH</code>. \n            When set to <code>IAM_AUTH</code>, the proxy uses end-to-end IAM authentication to connect to the database.</p>"
+          }
+        },
         "Auth": {
           "target": "com.amazonaws.rds#UserAuthConfigList",
           "traits": {
@@ -31867,6 +31900,12 @@
       "type": "list",
       "member": {
         "target": "com.amazonaws.rds#UserAuthConfig"
+      },
+      "traits": {
+        "smithy.api#length": {
+          "min": 0,
+          "max": 200
+        }
       }
     },
     "com.amazonaws.rds#ValidDBInstanceModificationsMessage": {
