Problem

Terraform Enterprise (TFE) running on an Amazon EKS cluster can now(version 1.1.0) authenticate to an AWS RDS PostgreSQL database without storing or providing a database password. Instead, it uses AWS IAM–based authentication, improving security posture and reducing secret management overhead.

This article walks through how to configure a TFE EKS deployment to connect to PostgreSQL pass wordlessly using AWS IAM, leveraging the supported TFE environment variables.

At a high level, the authentication flow looks like this:

1. TFE runs on EKS using a Kubernetes Service Account.

2. PostgreSQL (RDS) is configured to allow IAM authentication.

3. TFE uses AWS SDK calls to generate a temporary auth token instead of a static password.

4. The token is used to authenticate to PostgreSQL at runtime.

No database passwords are stored in:

• Kubernetes Secrets

• Terraform variables

• TFE configuration files

Prerequisites

Before configuring TFE, ensure the following are in place:

1. Terraform Enterprise on EKS

• TFE deployed on EKS (Helm or operator-based deployment)

• EKS cluster has OIDC provider enabled

• TFE version 1.1.0

2. PostgreSQL on AWS RDS

• PostgreSQL engine that supports IAM authentication

• rds_iam enabled on the database

• Database user created for IAM authentication

3. IAM Role for TFE (IRSA)

• IAM role assumable by the TFE Kubernetes Service Account

• Permissions to:

  • rds-db:connect

  • sts:GetCallerIdentity

Solution 

Step 1: Enable IAM Authentication on RDS PostgreSQL

Enable IAM authentication on the RDS instance:

aws rds modify-db-instance \
  --db-instance-identifier my-postgres \
  --enable-iam-database-authentication \
  --apply-immediately

Step 2: Create an IAM-Authenticated PostgreSQL User

Connect to PostgreSQL as an admin and create a user mapped to IAM:

CREATE USER "iam-postgres" WITH LOGIN;
GRANT rds_iam TO "iam-postgres";

Important:
The PostgreSQL username must exactly match the IAM database user name used by TFE.

Step 3: Create a policy for EKS node group IAM role 

Attach the following policy to the IAM policy used by EKS node group role :

DB_policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "rds-db:connect",
      "Resource": "arn:aws:rds-db:us-west-1:ACCOUNT_ID:dbuser:DB_RESOURCE_ID/iam-postgres"
    }
  ]
}

Ensure the Kubernetes node group role  is assigned with the policy  DB_policy.json .

Step 4: Configure TFE for Password less PostgreSQL Authentication

Set the following TFE environment variables in your EKS deployment (Helm values or Kubernetes manifests):

TFE_DATABASE_USER=iam-postgres
TFE_DATABASE_HOST=database.us-west-1.rds.amazonaws.com
TFE_DATABASE_NAME=postgres
TFE_DATABASE_PARAMETERS="sslmode=require"
TFE_DATABASE_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE=true
TFE_DATABASE_PASSWORDLESS_AWS_REGION=us-west-1

Key Notes

• Do not set TFE_DATABASE_PASSWORD

• TFE will automatically generate a short-lived authentication token using AWS IAM

• Tokens are refreshed automatically by TFE

Step 5: Restart TFE Pods

Apply the changes and restart TFE:

kubectl rollout restart deployment terraform-enterprise

Monitor logs to confirm successful authentication:

kubectl logs -n tfe deploy/terraform-enterprise | grep postgres

You should see successful database connection logs without password usage.

Security Benefits

• Eliminates long-lived database credentials

• IAM policies provide fine-grained access control

• Automatic token rotation handled by AWS

• Aligns with enterprise security and compliance standards

Common Troubleshooting Tips

Conclusion

By combining EKS IRSA, RDS IAM authentication, and TFE’s passwordless database support, you can securely run Terraform Enterprise without managing PostgreSQL passwords.

This approach is recommended for production-grade, security-conscious deployments.