Enhanced credentials service to support dynamically retrieved auth tokens (e.g. IAM RDS ) #2102
Comments
|
So are you proposing to implement this ? |
Yes, I am. I would like to hear opinions from the maintainers as I suspect this has already been discussed since RDS IAM was released a while ago although I couldn't find anything in this repo. |
|
Well until we see a concrete implementation there's not much to comment on. In general I'd say it would be a welcome addition. |
Thanks Dave, I wanted to rule out this having been discussed already and rejected for some reason before putting together a PR. |
|
So the need is basically just a callback to provide the password (and maybe username)? |
|
I think we only need it for password. The username is required in the startup packet and the password only comes into play after the server requests password based authentication. I haven't looked at the wire messages, but from testing this a while back I remember that RDS requires you to be connecting over TLS to use this auth method. I bet that they're sending back an |
yes, this is only for the password and we might want a caching mechanism as it expires after 15 minutes preventing new connections to be instantiated. In the MariaDB driver they went for caching it for 10 minutes. I have been looking at adding it to the driver but not sure where the project is going, adding an abstraction layer to the credentials to allow different implementations like this to be used seems like a good idea but the current code appears pretty opinionated in keeping this aspect as simple as possible. |
|
@cartucciam Can you please let us know if this driver now supports the IAM RDS auth tokens just like mariadb driver does? From the comments so far, I see there is a discussion on making this change but not clear if its implemented and available in some version? |
|
@kamatvishal Yes the feature was added in v42.3.3: REL42.3.1...REL42.3.2 Here's the release notes for that release: https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md#4232-2022-02-01-073541--0500 |
|
Thanks @sehrope. Just to understand this feature, it basically added a way to provide a custom class which fetches the dynamic password. The postgres driver itself will not handle this natively like the MariaDB connector. Is this understanding correct? |
|
Yes that is correct. You would supply your own implementation of a class that implements the plugin interface. To match the behavior of the MariaDB driver, you could have it pull the base credentials from DefaultAWSCredentialsProviderChain and then generate an auth token to use as the password. |
|
shameless plug https://github.com/awslabs/aws-advanced-jdbc-wrapper has the ability to do IAM authentication |
Or this, it includes less code but depends on your SDK instead. But both do not yet provide a authenticatorFactory compatible class. |
New feature request
Hi All,
I am proposing adding a credentials service to allow for a more sophisticated way to set user credentials. The main use case for this would be solutions like IAM RDS auth token where the password is retrieved dynamically at runtime.
The idea would be to add an easily extensible Credential Service similarly to what the MariaDB connector got here.
This change would remove the duplication of the logic retrieving credentials dynamically, which otherwise must be implemented in every client accessing the database.
Regards,
Matteo
The text was updated successfully, but these errors were encountered: