diff --git a/mintlify/get-started/connect/aws-cross-account.mdx b/mintlify/get-started/connect/aws-cross-account.mdx
new file mode 100644
index 00000000..1786358a
--- /dev/null
+++ b/mintlify/get-started/connect/aws-cross-account.mdx
@@ -0,0 +1,198 @@
+---
+title: Cross-Account Authentication in Single Account
+---
+
+When you have only one AWS account, you can still test the cross-account authentication feature by creating separate IAM roles that simulate a multi-account setup. This guide walks through creating two roles that demonstrate the authentication flow.
+
+## What We're Building
+
+In production cross-account setups:
+- **Account A** hosts Bytebase on an EC2 instance
+- **Account B** hosts the RDS database
+- Bytebase assumes a role in Account B to access the database
+
+For testing in a single account, we'll create:
+- **Role 1**: `bytebase-instance-role` (simulates Account A's EC2 role)
+- **Role 2**: `bytebase-target-db-role` (simulates Account B's database access role)
+
+## Prerequisites
+
+- An EC2 instance where Bytebase will run
+- An RDS instance with IAM authentication enabled
+- IAM admin permissions to create roles and policies
+
+## Step 1: Set Up the EC2 Instance Role
+
+This role will be attached to your EC2 instance running Bytebase.
+
+### Create the Role
+
+1. Go to [IAM Console → Roles](https://console.aws.amazon.com/iam/home#/roles)
+2. Click **Create role**
+3. Choose trusted entity:
+   - Select **AWS service**
+   - Choose **EC2**
+   - Click **Next**
+4. Skip policy attachment for now (we'll add it later)
+5. Name the role: `bytebase-instance-role`
+6. Click **Create role**
+
+### Attach Role to EC2
+
+**For a new EC2 instance:**
+- During launch, in **Advanced details** → **IAM instance profile**, select `bytebase-instance-role`
+
+**For an existing EC2 instance:**
+1. Select your instance in the [EC2 Console](https://console.aws.amazon.com/ec2/)
+2. Click **Actions** → **Security** → **Modify IAM role**
+3. Select `bytebase-instance-role`
+4. Click **Update IAM role**
+
+## Step 2: Create the Database Access Role
+
+This role will have permission to connect to your RDS database. In production, this would be in a different account.
+
+### Create the Role with Trust Policy
+
+1. In [IAM Console](https://console.aws.amazon.com/iam/), click **Create role**
+2. Select **Custom trust policy**
+3. Replace the default policy with this (substitute your account ID):
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:role/bytebase-instance-role"
+         },
+         "Action": "sts:AssumeRole",
+         "Condition": {}
+       }
+     ]
+   }
+   ```
+   
+   <Info>
+   This trust policy allows `bytebase-instance-role` to assume this role. In production, the Principal would reference a role from a different account.
+   </Info>
+
+4. Click **Next**
+5. Skip policy attachment (we'll add inline policy next)
+6. Name the role: `bytebase-target-db-role`
+7. Click **Create role**
+
+### Add RDS Connect Permission
+
+1. Open the newly created `bytebase-target-db-role`
+2. Go to the **Permissions** tab
+3. Click **Add permissions** → **Create inline policy**
+4. Switch to **JSON** view and paste:
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Action": "rds-db:connect",
+         "Resource": "arn:aws:rds-db:*:*:dbuser:*/*"
+       }
+     ]
+   }
+   ```
+   
+   <Note>
+   For production, replace wildcards with specific values: 
+   `arn:aws:rds-db:REGION:ACCOUNT_ID:dbuser:DB_RESOURCE_ID/bytebase`
+   
+   Find your DB_RESOURCE_ID in RDS Console → your database → Configuration tab
+   </Note>
+
+5. Click **Review policy**
+6. Name it: `RDSConnect`
+7. Click **Create policy**
+
+## Step 3: Allow the EC2 Role to Assume the Database Role
+
+Now we need to give the EC2 role permission to assume the database role.
+
+1. Go back to the `bytebase-instance-role` in IAM Console
+2. Click **Add permissions** → **Create inline policy**
+3. Switch to **JSON** view and paste (substitute your account ID):
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Action": "sts:AssumeRole",
+         "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/bytebase-target-db-role"
+       }
+     ]
+   }
+   ```
+
+4. Click **Review policy**
+5. Name it: `AssumeTargetRole`
+6. Click **Create policy**
+
+## Step 4: Configure the Database
+
+Your RDS instance needs:
+1. **IAM authentication enabled** (check in RDS Console → Modify → Database authentication options)
+2. **A database user configured for IAM auth**
+
+### Create the IAM Database User
+
+Connect to your RDS instance using your master credentials, then run:
+
+**For PostgreSQL:**
+
+```sql
+-- Create user for IAM authentication
+CREATE USER bytebase;
+GRANT rds_iam TO bytebase;
+
+-- Grant necessary permissions (adjust as needed)
+GRANT CONNECT ON DATABASE postgres TO bytebase;
+GRANT CREATE ON DATABASE postgres TO bytebase;
+GRANT ALL PRIVILEGES ON DATABASE your_database TO bytebase;
+```
+
+**For MySQL:**
+
+```sql
+-- Create user for IAM authentication
+CREATE USER 'bytebase'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
+ALTER USER 'bytebase'@'%' REQUIRE SSL;
+
+-- Grant necessary permissions (adjust as needed)
+GRANT ALL PRIVILEGES ON *.* TO 'bytebase'@'%';
+FLUSH PRIVILEGES;
+```
+
+## Step 5: Configure Bytebase Connection
+
+Now configure Bytebase to use the cross-account authentication:
+
+1. Open Bytebase and click **New Instance**
+2. Configure basic connection:
+   - **Host:** Your RDS endpoint (e.g., `mydb.abc123.us-east-1.rds.amazonaws.com`)
+   - **Port:** 5432 (PostgreSQL) or 3306 (MySQL)
+   - **Username:** `bytebase`
+   - **Authentication:** Select `AWS RDS IAM`
+
+3. Configure AWS credentials:
+   - **Credential Source:** Select **Specific Credentials**
+   - **Access Key ID:** Leave empty (uses EC2 instance profile)
+   - **Secret Access Key:** Leave empty (uses EC2 instance profile)
+   - **Session Token:** Leave empty
+   - **Role ARN:** `arn:aws:iam::YOUR_ACCOUNT_ID:role/bytebase-target-db-role`
+   - **Database Region:** Select your RDS region
+   - **Database:** Your database name
+
+4. Click **Test Connection** to verify the setup
+5. If successful, click **Create**
\ No newline at end of file
diff --git a/mintlify/get-started/connect/aws.mdx b/mintlify/get-started/connect/aws.mdx
index 2c49c22b..19b40a21 100644
--- a/mintlify/get-started/connect/aws.mdx
+++ b/mintlify/get-started/connect/aws.mdx
@@ -1,6 +1,5 @@
 ---
 title: AWS Database Connections
-description: Configure secure database connections for AWS RDS, Aurora, and other AWS-managed databases
 ---
 
 import PostgreSQLConfig from '/snippets/get-started/instance/postgresql.mdx';
@@ -21,17 +20,17 @@ References: [IAM roles for EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGu
 4. Attach policies as needed:
    - For RDS IAM authentication - see [RDS/Aurora section](#rdsaurora-with-iam-authentication)
    - For Secrets Manager access - see [AWS Secrets Manager section](#aws-secrets-manager)
-5. Name the role: `bytebase-role`
+5. Name the role: `bytebase-instance-role`
 
 ### Attach IAM Role to EC2
 
 **New EC2 Instance:**
 1. Launch instance in [EC2 Console](https://console.aws.amazon.com/ec2/)
-2. In **Advanced details** → **IAM instance profile**: Select `bytebase-role`
+2. In **Advanced details** → **IAM instance profile**: Select `bytebase-instance-role`
 
 **Existing EC2 Instance:**
 1. Select instance → **Actions** → **Security** → **Modify IAM role**
-2. Select `bytebase-role` → **Update IAM role**
+2. Select `bytebase-instance-role` → **Update IAM role**
 
 Deploy Bytebase on your EC2 instance - credentials are provided automatically through the instance metadata service.
 
@@ -110,19 +109,28 @@ References: [MySQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Using
 ### Step 4: Connect from Bytebase
 
 1. Click **New Instance** in Bytebase
-2. Configure connection:
+2. Configure basic connection:
    - **Host:** Your RDS endpoint
    - **Port:** 3306 (MySQL) or 5432 (PostgreSQL)
    - **Username:** `bytebase`
    - **Authentication:** Select `AWS RDS IAM`
-3. Test and save the connection
 
-Bytebase automatically handles token generation and refresh using the EC2 instance profile.
+3. Configure AWS credentials:
+   - **Credential Source:** Select **Default** (recommended for same-account connections)
+     - Automatically uses EC2 instance profile or environment variables
+     - **Database Region:** Select your RDS region (e.g., `us-east-1`)
+     - **Database:** Your database name
+
+4. Test and save the connection
+
+<Info>
+For same-account connections on EC2, always use **Default** credential source. Bytebase automatically uses the instance profile to authenticate. Use **Specific Credentials** only for cross-account scenarios.
+</Info>
 
 ## Cross-Account IAM Authentication
 
 <Info>
-Available in Bytebase version 3.11.1 and later
+Available in Bytebase version 3.12.1 and later
 </Info>
 
 Connect to RDS databases in different AWS accounts using IAM role assumption. This allows Bytebase running in Account A to authenticate to databases in Accounts B, C, D, etc.
@@ -141,69 +149,151 @@ In each target AWS account (where databases reside):
 2. Click **Create role**
 3. Select trusted entity: **Another AWS account**
 4. Enter the source account ID (where Bytebase runs)
-5. Attach this policy for RDS access:
+5. Optionally add an External ID for additional security
+6. Name the role: `bytebase-target-db-role`
+7. After creating the role, add an inline policy for RDS access:
+
+   - Go to the **Permissions** tab
+   - Click **Add permissions** → **Create inline policy**
+   - Switch to **JSON** view and paste:
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Action": "rds-db:connect",
+         "Resource": "arn:aws:rds-db:REGION:ACCOUNT_ID:dbuser:DB_RESOURCE_ID/bytebase"
+       }
+     ]
+   }
+   ```
 
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "rds-db:connect",
-      "Resource": "arn:aws:rds-db:REGION:ACCOUNT_ID:dbuser:DB_RESOURCE_ID/bytebase"
-    }
-  ]
-}
-```
+   <Note>
+   For production, replace with specific values. Find your DB_RESOURCE_ID in RDS Console → your database → Configuration tab
+   </Note>
+
+7. Note the role ARN: `arn:aws:iam::TARGET_ACCOUNT:role/bytebase-target-db-role`
+
+### Step 2: Configure Trust Relationship (Target Account)
+
+In the target account, configure the trust policy for `bytebase-target-db-role`:
+
+1. Go to the role in IAM Console
+2. Select **Trust relationships** tab
+3. Click **Edit trust policy**
+4. Update with this policy (replace with your source account details):
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "AWS": "arn:aws:iam::SOURCE_ACCOUNT:role/bytebase-instance-role"
+         },
+         "Action": "sts:AssumeRole",
+         "Condition": {
+           "StringEquals": {
+             "sts:ExternalId": "your-external-id"  // Optional but recommended
+           }
+         }
+       }
+     ]
+   }
+   ```
 
-6. Name the role (e.g., `bytebase-cross-account-rds`)
-7. Note the role ARN: `arn:aws:iam::TARGET_ACCOUNT:role/bytebase-cross-account-rds`
+### Step 3: Grant AssumeRole Permission (Source Account)
+
+In the source account (where Bytebase runs), add permission to assume the target role:
+
+1. Go to your `bytebase-instance-role` in IAM Console
+2. Click **Add permissions** → **Create inline policy**
+3. Switch to **JSON** view and paste:
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Action": "sts:AssumeRole",
+         "Resource": [
+           "arn:aws:iam::ACCOUNT_B:role/bytebase-target-db-role",
+           "arn:aws:iam::ACCOUNT_C:role/bytebase-target-db-role"
+         ]
+       }
+     ]
+   }
+   ```
 
-### Step 2: Grant AssumeRole Permission
+4. Name the policy: `AssumeTargetRoles`
+5. Replace `ACCOUNT_B`, `ACCOUNT_C` with your target account IDs
 
-In the source account (where Bytebase runs), add this policy to your Bytebase IAM role:
+### Step 4: Configure Database User
 
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "sts:AssumeRole",
-      "Resource": [
-        "arn:aws:iam::ACCOUNT_B:role/bytebase-cross-account-rds",
-        "arn:aws:iam::ACCOUNT_C:role/bytebase-cross-account-rds",
-        "arn:aws:iam::ACCOUNT_D:role/bytebase-cross-account-rds"
-      ]
-    }
-  ]
-}
+Ensure the target RDS instance has:
+
+1. **IAM authentication enabled** (RDS Console → Modify → Database authentication options)
+2. **A database user configured for IAM auth**
+
+**For PostgreSQL:**
+
+```sql
+CREATE USER bytebase;
+GRANT rds_iam TO bytebase;
+-- Grant necessary permissions
 ```
 
-Replace `ACCOUNT_B`, `ACCOUNT_C`, `ACCOUNT_D` with your target account IDs.
+**For MySQL:**
+
+```sql
+CREATE USER 'bytebase'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
+ALTER USER 'bytebase'@'%' REQUIRE SSL;
+-- Grant necessary permissions
+```
 
-### Step 3: Configure Cross-Account Connection
+### Step 5: Configure Cross-Account Connection
 
 1. Click **New Instance** in Bytebase
-2. Configure connection:
+2. Configure basic connection:
    - **Host:** RDS endpoint in target account
    - **Port:** 3306 (MySQL) or 5432 (PostgreSQL)
    - **Username:** `bytebase`
    - **Authentication:** Select `AWS RDS IAM`
-   - **AWS Assume Role ARN:** Enter the target account role ARN
-     (e.g., `arn:aws:iam::TARGET_ACCOUNT:role/bytebase-cross-account-rds`)
-3. Test and save the connection
 
-Bytebase will:
-1. Assume the role in the target account
-2. Use the assumed credentials to generate RDS IAM tokens
-3. Authenticate to the database using the token
+3. Configure AWS credentials:
+   - **Credential Source:** Select **Specific Credentials** (required for cross-account)
+     - **Access Key ID:** Leave empty (uses EC2 instance profile)
+     - **Secret Access Key:** Leave empty (uses EC2 instance profile)
+     - **Session Token:** Leave empty
+     - **Role ARN:** `arn:aws:iam::TARGET_ACCOUNT:role/bytebase-target-db-role`
+     - **External ID:** Optional security string (if configured in trust policy)
+     - **Database Region:** Select target RDS region
+     - **Database:** Your database name
+
+4. Test and save the connection
+
+<Note>
+**Important:** For cross-account access, always use **Specific Credentials**. Leave Access Key ID, Secret Access Key, and Session Token empty when using EC2 instance profile - only provide the Role ARN. Use **Default** credential source only for same-account connections.
+</Note>
+
+How it works:
+1. Bytebase uses the EC2 instance profile credentials
+2. Assumes the specified role in the target account
+3. Generates RDS IAM authentication tokens using the assumed role
+4. Connects to the database using the token
 
 ### Example Setup
 
 **Scenario:** Bytebase in Account A (123456789012) connecting to RDS in Account B (987654321098)
 
 **Account B - Create role with trust relationship:**
+
+Configure the trust policy to allow the source account's role to assume this role:
+
 ```json
 {
   "Version": "2012-10-17",
@@ -211,12 +301,12 @@ Bytebase will:
     {
       "Effect": "Allow",
       "Principal": {
-        "AWS": "arn:aws:iam::123456789012:root"
+        "AWS": "arn:aws:iam::123456789012:role/bytebase-instance-role"
       },
       "Action": "sts:AssumeRole",
       "Condition": {
         "StringEquals": {
-          "sts:ExternalId": "optional-external-id"
+          "sts:ExternalId": "your-secure-external-id"
         }
       }
     }
@@ -232,35 +322,15 @@ Bytebase will:
     {
       "Effect": "Allow",
       "Action": "sts:AssumeRole",
-      "Resource": "arn:aws:iam::987654321098:role/bytebase-cross-account-rds"
+      "Resource": "arn:aws:iam::987654321098:role/bytebase-target-db-role"
     }
   ]
 }
 ```
 
-### Security Best Practices
-
-1. **Use External IDs**: Add an external ID to the trust relationship for additional security
-2. **Limit Role Scope**: Grant only necessary RDS permissions in target accounts
-3. **Use Specific Resource ARNs**: Avoid wildcards in IAM policies when possible
-4. **Enable CloudTrail**: Monitor cross-account role assumptions
-5. **Regular Audits**: Review cross-account permissions periodically
-
-### Troubleshooting Cross-Account Issues
-
-**AssumeRole Access Denied:**
-- Verify trust relationship in target account role
-- Check source account has AssumeRole permission
-- Ensure role ARN is correct
-
-**RDS Authentication Failed After AssumeRole:**
-- Verify target role has rds-db:connect permission
-- Check database user exists with IAM authentication enabled
-- Ensure RDS instance has IAM authentication enabled
-
-**Token Expiration:**
-- Bytebase automatically refreshes tokens before expiration
-- Default session duration is 1 hour (configurable in role settings)
+<Note>
+Need to test cross-account authentication but only have one AWS account? See our guide on [testing cross-account authentication in a single account](/get-started/connect/aws-cross-account).
+</Note>
 
 ## AWS Secrets Manager
 
@@ -342,16 +412,19 @@ For specific database types running on AWS, see their configuration guides:
 ## Troubleshooting
 
 ### Connection Timeout
+
 - Verify security group rules allow traffic on database port
 - Check VPC routing and subnet configuration
 - Ensure database is publicly accessible or use VPN/bastion host
 
 ### IAM Authentication Failed
+
 - Verify IAM role has correct `rds-db:connect` permissions
 - Check database user was created with correct authentication method
 - Ensure SSL is enabled for the connection
 
 ### Secrets Manager Access Denied
+
 - Verify IAM role has `secretsmanager:GetSecretValue` permission
 - Check secret ARN matches the policy resource
-- Ensure secret exists in the correct region
\ No newline at end of file
+- Ensure secret exists in the correct region