I’m using TEAM elevated access for AWS in my organization to temporarily access an Aurora MySQL cluster.
TEAM provides database access through a tunneled MySQL session using a generic database username, for example:
authentication_db_write_user
Although TEAM generates a unique token/password for each session, the database username remains the same for all users, regardless of which IAM user requested access.
Inside the database, running:
SELECT CURRENT_USER();
only returns the shared username (authentication_db_write_user).
Because of this, the Aurora MySQL audit logs and general logs only show activity coming from the same DB user — not from the actual IAM identity (email or IAM username) of the person who initiated TEAM access.
❓ What I want
I need a way to capture the actual IAM identity (email / IAM username) of the user accessing the database through TEaM and have that recorded in logs, so that I can:
identify who performed each SQL query
map queries to real IAM users
maintain proper monitoring and compliance
❓ What I’ve tried
Aurora MySQL audit logging → only logs DB username
General logs → same limitation
TEAM session metadata → exposes a unique session token but no IAM identity
IAM DB Authentication → not usable because TEAM uses username/password via a tunnel
❓ Question
Is there any supported AWS mechanism to:
pass the IAM identity through the TEaM tunnel into the Aurora MySQL session,
automatically inject IAM identity into MySQL session variables,
or have Aurora record IAM identity in audit logs,
so that logs show which IAM user actually accessed the database, even though everyone uses the same DB username?
If not, what are the recommended or best-practice workarounds for this?
