- AWS-level authentication — how 4MINDS discovers which RDS instances exist in your account. Uses IAM Role Federation (recommended) or Amazon Cognito, both shared with the rest of 4MINDS’s AWS integrations.
- Database-level authentication — uses RDS IAM Database Authentication to generate short-lived tokens from the same AWS credentials used for instance discovery. No separate database username or password is required.
Supported Database Engines
4MINDS supports database browsing on these RDS engines:
Other RDS engines (Oracle, SQL Server, etc.) can still be listed in the instance picker, but the database/table browser will return an “unsupported engine” error when you open them.
RDS IAM Permissions Policy
Whichever AWS auth method you use (IAM Role Federation or Cognito), attach this policy to the role:
Name the policy something memorable like
4MINDS-RDS-Access — you’ll attach it when creating the IAM role (for Role Federation) or the Cognito authenticated role.
Note: Therds-db:connectresource ARN above uses a wildcard for all DB users and instances. To restrict access to specific instances or database users, narrow the resource ARN (e.g.,arn:aws:rds-db:us-east-1:123456789012:dbuser:db-ABCDEFG/my_iam_user).
Least-Privilege: Restricting to Specific Instances
If you want to expose only a subset of your RDS fleet, scope both permissions by ARN:RDS Instance Prerequisites for IAM Database Authentication
Each RDS instance you want 4MINDS to browse must have IAM Database Authentication enabled, and a database user configured for IAM auth: PostgreSQL:Connection Method 1: IAM Role Federation (Recommended)
Short-lived credentials minted per request through AWS STS — no long-lived AWS keys stored in 4MINDS.- Complete the one-time AWS setup in AWS Integrations → IAM Role Federation (OIDC provider + IAM role with trust policy).
- Attach the RDS IAM policy above to the role (Role Federation and Cognito can share the same role — just attach both service policies to it if you use multiple AWS integrations).
- In 4MINDS, open Integrations → Amazon RDS → click Configure (or Settings if already connected).
- Keep the IAM Role tab selected.
- Paste your IAM Role ARN (e.g.,
arn:aws:iam::123456789012:role/4MINDS-integration-role). - Leave the External ID field blank — it is not supported for IAM Role Federation (see AWS Integrations → Verify the Trust Policy).
- Enter your AWS Region (e.g.,
us-east-1) — this must match the region of the RDS instances you want to browse. - Click Test Connection — success shows “Connection successful! Found N instance(s).”
- Click Save Credentials.
Connection Method 2: Amazon Cognito
Use this if your organization already authenticates against AWS through Cognito User Pools and Identity Pools.- Complete the one-time Cognito setup in AWS Integrations → Amazon Cognito (User Pool, App Client, Identity Pool, authenticated role).
- Attach the RDS IAM policy above to the Cognito authenticated role.
- In 4MINDS, open Integrations → Amazon RDS → click Configure.
- Switch to the Cognito tab.
- Fill in User Pool ID, App Client ID, App Client Secret (if configured), Identity Pool ID, Username, and Password.
- Enter your AWS Region.
- Click Test Connection, then Save Credentials.
4MINDS Fields
Importing Data from RDS
Once connected, open the Datasets page and click Add Source → Amazon RDS (or pick RDS from the data source bar inside an existing dataset). The import wizard walks you through four steps:Step 1 — Pick an Instance
4MINDS callsrds:DescribeDBInstances in your configured region and shows every instance the role can see, with its engine, engine version, instance class, and status. Use the search box to filter by identifier or engine. Click an instance to continue.
Instances not in the available state are shown with a warning color and may fail to connect in Step 2.
Step 2 — Connect to the Database
4MINDS uses the same AWS credentials from your integration to generate a short-lived IAM authentication token viagenerate_db_auth_token. No separate database username or password is needed — the connection is established automatically using IAM Database Authentication.
- Authentication tokens are generated per-request and expire after 15 minutes.
- The IAM DB user configured on the instance (see RDS Instance Prerequisites) determines what permissions the connection has.
- All connections use SSL, as required by RDS IAM Database Authentication.
Step 3 — Browse Databases
4MINDS opens a live SQL connection to the instance endpoint using the IAM-generated token and lists user databases. System databases (rdsadmin, mysql, information_schema, performance_schema, sys) are filtered out.
Step 4 — Select Tables
Click a database to list its base tables. For each table the browser shows:- Schema-qualified name (e.g.,
public.customersfor Postgres, or justordersfor MySQL) - Estimated row count (from
pg_stat_user_tables/information_schema.tables) - Column count
- On-disk size
During Import
At import time, 4MINDS runs a bulk fetch on each selected table:- Up to 50,000 rows per table (hard cap — larger tables are truncated and flagged).
- Binary columns (
BYTEA,BLOB,VARBINARY, etc.) are dropped from the export rather than base64-encoded, to keep CSV output reasonable. - Complex types (JSONB, arrays) are serialized with
json.dumpsinto a single cell. - Timeout is 120 seconds per table.
Networking Requirements
RDS instances live inside a VPC. For 4MINDS to open a SQL connection, the instance must be reachable from the 4MINDS backend’s outbound network:- Security group inbound rule — allow the database port (5432 for Postgres, 3306 for MySQL/MariaDB) from the 4MINDS backend’s public IP or the CIDR range of its egress.
- Publicly accessible = Yes is the simplest path for temporary testing; for production, prefer a VPC peering / PrivateLink setup with 4MINDS support.
- SSL — All connections use SSL, as required by RDS IAM Database Authentication. Ensure your RDS instance has a valid SSL certificate (AWS-managed certificates work out of the box).
“Connection timed out. The backend may not be able to reach the RDS endpoint — check VPC / security group rules (inbound port open from the backend’s network).”
Security Model
No database passwords are stored or transmitted. Each SQL endpoint (
/instances/{id}/databases, /tables, /preview) generates a short-lived IAM authentication token from the existing AWS credentials, opens a short-lived SQLAlchemy engine over SSL, runs one query, and disposes of the engine before returning.
Testing Your Connection
After saving credentials, the Test Connection button:- Resolves your auth method → AWS credentials (via STS AssumeRoleWithWebIdentity for Role Federation, or Cognito GetCredentialsForIdentity for Cognito).
- Calls
rds:DescribeDBInstanceswith a 15-second timeout. - Returns “Connection successful! Found N instance(s).” on success.
Troubleshooting
Disconnecting
To remove the RDS integration:- Open Integrations → Amazon RDS → click Settings.
- Click Disconnect.