Sign Up
Docs
Guides

Step-by-step Atlas walkthroughs

Databases

Database-specific Atlas guides

ORMs and Frameworks

Integrate Atlas with any ORM

Deploying on Kubernetes

Run via the Atlas Operator

Setting up CI/CD

Wire Atlas into your pipeline

Terraform Provider

Manage schemas via Terraform

Database Governance

End-to-end control and compliance

Schema Drift Detection

Block drift before and after deploys

AI-Safe Database Changes

Safe schema changes at machine speed

Modernize Schema Migrations

Apply modern CI/CD to schema changes

Standardize Schema Migrations

One migration tool to rule them all

Database per tenant

Manage thousands of databases as one

PRICING
Sign InSign Up
Back to changelog
New
2 minute read

Aurora DSQL: Generate IAM Auth Tokens in atlas.hcl

The new aws_dsql_token data source signs short-lived Aurora DSQL auth tokens at runtime and embeds them directly in the dsql:// connection URL, removing the need for wrapper scripts that shell out to the AWS CLI before invoking Atlas.

Aurora DSQL has no static database passwords. Every connection authenticates with a token signed locally from your IAM credentials, which expires in 15 minutes by default (one week maximum). The benefit is real: there is no long-lived database secret to store, rotate, or leak from a secret manager, and revoking the IAM identity terminates future connections without touching the database. The trade-off is that any approach that mints a token once and stuffs it into DSQL_PASSWORD goes stale faster than most CI jobs and dev sessions. The new aws_dsql_token data source signs a fresh token from inside atlas.hcl on every command, using the AWS credentials Atlas already has access to.

Admin Tokens

For the built-in admin role, set admin = true. The IAM identity Atlas runs as needs dsql:DbConnectAdmin. Because the token contains characters that must be percent-encoded in a URL, wrap it in urlescape() when interpolating into the connection string:

atlas.hcl
locals {
  endpoint = "cluster-id.dsql.us-east-1.on.aws"
}


data "aws_dsql_token" "db" {
  endpoint = local.endpoint
  region   = "us-east-1"
  admin    = true
}


env "dsql" {
  url = "dsql://admin:${urlescape(data.aws_dsql_token.db)}@${local.endpoint}:5432/postgres?sslmode=require"
  dev = "docker://dsql/16/dev"
}

With that in place, every Atlas command resolves the data source, signs a new token, and connects:

terminal
atlas schema inspect --env dsql --config "file://atlas.hcl"

Profiles and Assume-Role

aws_dsql_token matches the rest of the AWS SDK toolchain: load credentials from a named profile in ~/.aws/config, or assume a role before signing the token.

atlas.hcl
data "aws_dsql_token" "db" {
  endpoint = "cluster-id.dsql.us-east-1.on.aws"
  region   = "us-east-1"
  profile  = "prod"
  role_arn = "arn:aws:iam::123456789012:role/AtlasDSQLConnect"
  admin    = true
}

For the full workflow, including how to grant the IAM permissions and run migrations end-to-end, see the Aurora DSQL auth token guide.

featureawsdsqliam-authenticationauth-token
Back to changelog