Add support for AWS IAM authentication to RDS instances#4036
Add support for AWS IAM authentication to RDS instances#4036wronghost wants to merge 6 commits intonuts-foundation:masterfrom
Conversation
wronghost
requested review from
gerardsn,
reinkrul,
stevenvegt and
woutslakhorst
as code owners
|
Coverage Impact ⬇️ Merging this pull request will decrease total coverage on Modified Files with Diff Coverage (4)
🤖 Increase coverage with AI coding...🚦 See full report on Qlty Cloud » 🛟 Help
|
storage/rds_iam.go
Outdated
| func newRDSIAMAuthenticator(cfg RDSIAMConfig, endpoint, baseConnStr string) *rdsIAMAuthenticator { | ||
| if cfg.TokenRefreshInterval == 0 { | ||
| // Default to 14 minutes (tokens are valid for 15 minutes) | ||
| cfg.TokenRefreshInterval = 14 * time.Minute |
There was a problem hiding this comment.
move to storage.DefaultConfig()
There was a problem hiding this comment.
I have move that default values to:
return Config{
SQL: SQLConfig{
RDSIAM: RDSIAMConfig{
TokenRefreshInterval: 14 * time.Minute,
},
},
}
Not sure if this is what you have expected.
|
Would it be possible to integration test or even end-to-end test against a stub AWS RDS IAM? Since you're the first one requiring this feature, and thus the only one using it, we have a future maintenance risk if it breaks at some point (and we won't even notice it breaking because there's no itnegration test). |
There was a problem hiding this comment.
Hi,
I have tried to fix all the recommendation which you have asked. Not sure only about:
return Config{
SQL: SQLConfig{
RDSIAM: RDSIAMConfig{
TokenRefreshInterval: 14 * time.Minute,
},
},
}
I build a code locally and have tested it directly with our acceptance database on AWS using RDS IAM authentication and after those changes i was able still to push some records using commands:
curl -Lvs -X POST http://localhost:8081/internal/vdr/v2/subject
and retrieve records:
curl -Lvs http://localhost:8081/internal/vdr/v2/subject
Seems to be fine so far.
Could you please review once again and let me know if there are more things to correct.
Thank you in advance.
2 participants
This pull request introduces AWS RDS IAM authentication support for the SQL storage backend, enabling secure database connections using temporary IAM tokens instead of static passwords. The implementation is opt-in, backward compatible, and includes comprehensive documentation, configuration options, and automated token management for both PostgreSQL and MySQL. Several new files, configuration parameters, and dependencies have been added to support this feature.
Major features and changes:
1. AWS RDS IAM Authentication Implementation
storage/rds_iam.gofor managing IAM token generation, connection string modification, and background token refresh logic.storage/rds_iam_test.go), documentation (storage/RDS_IAM_AUTHENTICATION.md), and example configuration (storage/rds_iam_example_config.yaml) have been included.storage/QUICKSTART_RDS_IAM.mdfor rapid setup and troubleshooting.2. Configuration and Usage
storage.sql.rdsiam.enabled,region,dbuser,tokenrefreshinterval) with detailed descriptions inREADME.rst.3. Codebase and Dependency Updates
storage/config.goandstorage/engine.goupdated to integrate RDS IAM authentication, including token management and background refresh routines.go.modto enable IAM token generation and AWS integration. [1] [2]4. Security and Compatibility
5. Documentation and Testing
These changes collectively provide a secure, automated, and well-documented way to use AWS RDS IAM authentication with the Nuts node SQL storage backend.