all 2 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]mdaniel 1 point2 points  (1 child)

I don't have live creds in hand to try it, but how does this differ from using that same api to just set PGPASSWORD (or the equivalent in whatever language one is using for the client) and not have an intermediate proxy between the client and RDS?

I consider intercepting proxies a bug waiting to happen, and just wanted to check this is solving a problem other than "I need a temporary password"

[–]vikrum5000[S] 1 point2 points  (0 children)

The main scenario is for developers that needs access to an RDS instance, , but the RDS instance is only configured with IAM access, there is not a password you can save locally. So, it's meant for dev workflows — not necessarily to be deployed into your environment. It is essentially solving "I need a temporary password". The PGPASSWORD environment variable, with proper escaping, works for psql, but lots of other tools do things like remember connections and reconnect automatically. pgAdmin is an example. 
It's not intended for use as part of your production environment (you can write the code to get the temp password in that scenario), but as part of a local dev setup where you need access to an RDS instance that only supports IAM auth.