How to Maintain an AWS RDS Connection Even After the Token Has Expired

When working with AWS RDS and connecting via IAM authentication, you’ll often run into a frustrating limitation: the generated authentication token only lasts for 15 minutes. Once it expires, your client (such as DBeaver, psql, or another database tool) drops the session, even if you’re actively working.

In this article, we’ll explore why this happens, how to work around it, and a practical solution to keep your connection alive without constantly refreshing tokens.

Why RDS IAM Tokens Expire

When you use IAM database authentication in RDS:

• You generate a signed authentication token via AWS CLI or SDK.
• This token is valid for 15 minutes.
• Your client passes it as the password when initiating the connection.

The limitation exists for security reasons — short-lived credentials reduce the attack surface if a token is leaked.
However, it creates friction for developers and DBAs who need persistent connections.

The Problem in Practice

• You log in to RDS with DBeaver or psql using your IAM token.
• After 15 minutes, your token expires.
• If your database client tries to re-authenticate (e.g., opening a new session), it fails.
• Even if your SSH/SSM tunnel is still active, the expired token means no more queries.

This makes long-running sessions (debugging, running migrations, or data analysis) painful.

The Workaround: Keep the Session Alive

The good news is:
Once the database session is established, RDS does not kick you out when the token expires.
The problem only appears when your client tries to re-authenticate or idle connections are dropped.

So the solution is to ensure:

1. Persistent TCP connection (so the client doesn’t drop and re-login).
2. Prevent idle timeouts (so the DB doesn’t close your session).

Using DBeaver with Persistent Connections

If you’re using DBeaver, you can configure the JDBC driver to maintain the session even after the token expires.

Two useful parameters are:

• prop.socketTimeout=0 → prevents the client from closing the connection due to inactivity.
• prop.tcpKeepAlive=true → sends keep-alive packets to maintain the TCP session.

Example Launch Command

nohup dbeaver -con "driver=postgresql| 
host=localhost| 
port=5432| 
database=mydb| 
user=myuser| 
password=<iam-token>| 
name=MyConnection| 
savePassword=true| 
openConsole=true| 
prop.tcpKeepAlive=true| 
prop.socketTimeout=0" >/dev/null 2>&1 &

With these settings:

• The connection stays alive.
• Queries continue to work beyond the 15-minute token expiry.
• You avoid unexpected disconnections.

When This Works (and When It Doesn’t)

• Works: If you already have a valid session and just need it to stay alive.
• Doesn’t work: If your session closes and the client needs to reconnect → you’ll need a fresh token.

That means:

• For interactive sessions (querying, debugging), this is perfect.
• For batch jobs or scheduled tasks, you should refresh tokens programmatically instead.

Alternative: Automatic Token Refresh

If you want a reliable long-term solution, you can automate token generation:

• A script runs aws rds generate-db-auth-token periodically.
• Your client or connection pool refreshes the password before expiration.
• This works well for apps (using RDS IAM auth in production).

But for local development, the keep-alive hack is often enough.

Final Thoughts

AWS’s short-lived IAM RDS tokens are great for security, but not so much for convenience.
By tweaking your database client’s connection parameters, you can keep sessions alive and avoid being kicked out after 15 minutes.

If you rely heavily on RDS IAM auth in production, consider building a token refresh mechanism into your applications. But for developers using tools like DBeaver, enabling tcpKeepAlive and socketTimeout=0 is the fastest way to maintain connections indefinitely.