diff --git a/tools/etcd-dump-db/backend.go b/tools/etcd-dump-db/backend.go
index 4ad0aa5ddf2..aa2102c4159 100644
--- a/tools/etcd-dump-db/backend.go
+++ b/tools/etcd-dump-db/backend.go
@@ -17,6 +17,7 @@ package main
 import (
 	"encoding/binary"
 	"fmt"
+	"go.etcd.io/etcd/auth/authpb"
 	"path/filepath"
 
 	"go.etcd.io/etcd/lease/leasepb"
@@ -52,8 +53,11 @@ func getBuckets(dbPath string) (buckets []string, err error) {
 type decoder func(k, v []byte)
 
 var decoders = map[string]decoder{
-	"key":   keyDecoder,
-	"lease": leaseDecoder,
+	"key":       keyDecoder,
+	"lease":     leaseDecoder,
+	"auth":      authDecoder,
+	"authRoles": authRolesDecoder,
+	"authUsers": authUsersDecoder,
 }
 
 type revision struct {
@@ -93,6 +97,33 @@ func leaseDecoder(k, v []byte) {
 	fmt.Printf("lease ID=%016x, TTL=%ds\n", leaseID, lpb.TTL)
 }
 
+func authDecoder(k, v []byte) {
+	if string(k) == "authRevision" {
+		rev := binary.BigEndian.Uint64(v)
+		fmt.Printf("key=%q, value=%v\n", k, rev)
+	} else {
+		fmt.Printf("key=%q, value=%v\n", k, v)
+	}
+}
+
+func authRolesDecoder(k, v []byte) {
+	role := &authpb.Role{}
+	err := role.Unmarshal(v)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("role=%q, keyPermission=%v\n", string(role.Name), role.KeyPermission)
+}
+
+func authUsersDecoder(k, v []byte) {
+	user := &authpb.User{}
+	err := user.Unmarshal(v)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("user=%q, roles=%q, password=%q, option=%v\n", user.Name, user.Roles, string(user.Password), user.Options)
+}
+
 func iterateBucket(dbPath, bucket string, limit uint64, decode bool) (err error) {
 	db, err := bolt.Open(dbPath, 0600, &bolt.Options{Timeout: flockTimeout})
 	if err != nil {