Dynamic database credentials with RDS IAM DB authentication

[tokyowizard]

Bug report

Required System information

• Node.js version: v16
• NPM version: 8.5.0
• Strapi version: 4.2.2
• Database: PostgreSQL
• Operating system: Alpine
• Is your project Javascript or Typescript: Typescript

Describe the bug

Could Strapi include exposing the expirationChecker function in the database connection configuration?

We have an Amazon RDS for PostgreSQL instance for our Strapi database.
We would like to use IAM database authentication for PostgreSQL, where we can generate a password token that is good for 15 minutes to login to the database, instead using a fixed password.
Strapi is using Knex to connect to the database.
Knex has implemented an expirationChecker function to check if the token has expired. See also expirationChecker in the connection config: [1] [2]

Steps to reproduce the behavior

1. Be able to include expirationChecker in the connection parameters (or some setting) to be able to generate AWS IAM DB tokens to connect to the database.

Expected behavior

Be able to use AWS IAM DB authentication to generate a password token to update the password before connection.

Screenshots

N/A

Code snippets

N/A

Additional context

N/A

[Boegie19]

If I am correct the data inside the strapi db config is given directly to knex.

Aka this should already be posible but not documented

I am not sure since I did not test this.

[tokyowizard]

Thank you for the reply! Yes, it's working with IAM DB auth. 👍

[Boegie19]

Ticket needs to be moved to documentation since we should improve the documentation on this.

[joshuaellis]

Ticket needs to be moved to documentation since we should improve the documentation on this.

I can move it, can you explain in a couple of sentences what documentation improvements you're expecting please?

[Boegie19]

We need to document better that we give everything given to the database file is given to knex. and link to knex its documentation for it.
so that it is more clear what people that they can use all knex fetures

[evan-thinksync]

@tokyowizard Hello! I'm hoping for some help here please! I'm trying to implement the same approach using aws iam database auth for postgresql but it looks like knex requires a function as the database connection config in order to use the custom expirationChecker function. When I use a function for the strapi database connection config, I get an error on startup TypeError: Cannot read properties of undefined (reading 'schema') from this code block

How exactly were you able to get the expirationChecker behavior working? If possible, can you please include an example of the database connection config?

Thanks

[Boegie19]

@evan-thinksync TS config for this one is wrong. if you ignore the TS warning it should work.

[evan-thinksync]

@Boegie19 I'm new to js/ts, how would I ignore the TS warning inside of the strapi/database/lib/connection.js file?
return Object.assign(knexInstance, { getSchemaName() { return this.client.connectionSettings.schema; }, }); connectionSettings is undefined here when using a function for strapi's database.connection.connection config

[isxbot]

+1 for this documentation. I'm able to authenticate Strapi to the database with an IAM token, but content manager is inaccessible after the token expires. I get the same error as @evan-thinksync when I attempt to pass expirationChecker into the configuration.