SingleStore Expands Passwordless Authentication to Server Accounts for Enhanced Security

database security

SingleStore introduces `singlestore-auth-iam`, extending passwordless authentication from human users to server accounts. Integrate with AWS IAM, Azure AD, or GCP IAM for secure, automatically rotated credentials, significantly reducing risk and operational burden.

Passwords have historically been a significant vulnerability in modern infrastructure. They are challenging to manage, prone to leaks, and difficult to rotate securely at scale. At SingleStore, we champion security that is both robust and straightforward. This commitment drives our ongoing progression towards a passwordless future, initially for human users and now expanding to server-to-server interactions.

From Humans to Servers: Expanding Passwordless Authentication

In 2022, SingleStore introduced singlestore-auth-helper, a library enabling human users to connect to SingleStore databases without storing or sharing passwords. This initiative simplified developer access, enhanced auditability, and significantly reduced credential sprawl. We are now extending this convenience and security to services and applications with the introduction of the new singlestore-auth-iam library.

What Is singlestore-auth-iam?

singlestore-auth-iam offers a simple, standards-based method for servers to authenticate with SingleStore databases and the SingleStore Management API, entirely without passwords. It integrates seamlessly with your cloud provider’s Identity and Access Management (IAM) system (such as AWS IAM, Azure AD, or GCP IAM), enabling the use of short-lived, automatically rotated credentials instead of static database passwords.

In summary:

  • No stored passwords or shared secrets
  • Automatic credential rotation and revocation
  • Compatibility across various cloud environments and automation pipelines

Note: singlestore-auth-iam focuses solely on authentication (verifying identity), not authorization (controlling access permissions). Authorization continues to be managed via SingleStore’s robust role-based permissions.

How It Works

Instead of transmitting a password during a connection, singlestore-auth-iam leverages your cloud provider’s identity service to acquire a temporary, verifiable token. When a server initiates a connection to SingleStore:

  1. It requests a signed identity token from the IAM system.
  2. This token is then exchanged for a JWT signed by SingleStore.
  3. The JWT is subsequently used to authenticate your connection to either your database or the management API — securely and without ever exposing a password.

Since this mechanism is dedicated exclusively to authentication, no preliminary setup is required beyond ensuring the IAM role is already mapped to a valid database account (or a cloud provider account within the SingleStore portal). The JWT will only be effective if SingleStore recognizes that specific IAM role as possessing the necessary access.

Getting Started

For Database Access

To enable passwordless authentication for databases:

  1. Create accounts within your SingleStore engine, ensuring account names correspond to your IAM/cloud principal role.
  2. Mark these accounts with the AUTHENTICATED_WITH_JWT option.
  3. Consult the SingleStore documentation on JWT authentication for comprehensive, step-by-step configuration instructions.

Once configured, your application or service can utilize singlestore-auth-iam to establish secure connections without needing to store any credentials.

For Management API Access (Coming Soon)

Upon availability, the SingleStore Portal will allow you to create Cloud Provider accounts directly linked to IAM roles. From there, you can assign roles and permissions via the portal UI, maintaining passwordless authentication while ensuring fine-grained authorization through SingleStore’s management interface.

Why It Matters

Eliminating passwords empowers organizations to significantly reduce:

  • The risk of credential leakage across code, CI/CD pipelines, or configuration files.
  • The operational burden associated with rotating secrets or managing shared credentials.
  • The complexity involved in compliance audits and access reviews.

This approach delivers benefits for both security and operations, aligning perfectly with the Zero Trust principle: “authenticate everything, trust nothing.”

A Unified Approach to Passwordless Security

Combined, singlestore-auth-helper and singlestore-auth-iam provide a cohesive strategy for eliminating passwords across all access patterns:

  • Developers and analysts: Can authenticate interactively without passwords.
  • Applications and automation: Can authenticate programmatically using IAM.

This consistent methodology enables organizations to standardize on secure, auditable authentication throughout their entire SingleStore environment.

The Road Ahead

As data systems continue to evolve, SingleStore remains dedicated to minimizing friction and mitigating risk in how developers and infrastructure connect. Passwordless authentication is a key milestone in this ongoing journey. Anticipate further features designed to make securing and scaling your data infrastructure simpler, faster, and safer. We encourage you to start experimenting with passwordless server authentication today and move towards a password-free future.