RDS IAM Authentication Token Generator #1157
Comments
|
V2 auth module link: https://github.com/aws/aws-sdk-java-v2/tree/master/core/auth |
|
Closing this due to inactivity. Feel free to reopen if you have further questions. |
justnance
added
guidance
|
@zoewangg This issue is clearly not solved (and auto-closing after 12 days isn't very friendly) - can you reopen and assign to the right place please? In order to connect to an RDS instance that is using IAM auth, you need to generate an auth token (the cli provides Actually I don't see any parallel classes in the v2 Java SDK, which means that either they are hidden/undocumented somewhere (hence this ticket!) or else it isn't implemented (in which case we need a different ticket to ask for that to be implemented). At this point the only option appears to be translating the v1 docs for manually generating a token ("Manually Constructing an IAM Authentication Token" in the docs linked above) which is very cumbersome. |
|
As a general rule, we try to close an issue if there is no response from customers after 7 days to make sure we are on top of all issues; the issue list will grow uncontrollably if we leave all unresponsive issues open. You are always welcome to create new issues or comment on any issues. That said, thank you for your feedback and we might consider increasing auto-closing period. Now that we have more information on this issue, we will take another look. |
|
Adding my +1 vote. This is a crucial piece of functionality missing from the new SDK. |
|
Transitioning to a feature request: "Support RdsIamAuthTokenGenerator equivalent in V2 of the Java SDK." This will be prioritized against other high-level libraries, but this doesn't look like a ton of effort to implement. It seems like there's a lot of overlap with the presigners task: #849 |
millems
added
feature-request
millems
changed the title
millems
changed the title
|
Would really love to see any documentation on doing this in v2. The manual construction is quite cumbersome and error prone and this would make a lot of sense. |
|
+1 seems to be quite a popular and used function |
|
We worked around the lack of this, inspired by #868 and https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-rds/src/main/java/com/amazonaws/services/rds/auth/RdsIamAuthTokenGenerator.java package foo
import java.time.Instant
import software.amazon.awssdk.auth.credentials.AwsCredentials
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider
import software.amazon.awssdk.auth.signer.params.Aws4PresignerParams
import software.amazon.awssdk.regions.Region
import software.amazon.awssdk.auth.signer.Aws4Signer
import software.amazon.awssdk.http.SdkHttpFullRequest
import software.amazon.awssdk.http.SdkHttpMethod
import scala.concurrent.ExecutionContext
import scala.concurrent.Future
class RDSClient(implicit ec: ExecutionContext) {
// We only support eu-west-1 for now. Move this out into a constructor param
// if you need a different region.
protected val region: Region = Region.EU_WEST_1
/**
* Create an authentication token for an RDS database
* @param hostname hostname of the rds database
* @param port port of the rds database
* @param username username to authenticate as
* @return Future of a temporary database password
*/
def getAuthToken(hostname: String, port: Int, username: String): Future[String] =
resolveDefaultCredentials.map({ credentials =>
val params = Aws4PresignerParams
.builder()
.expirationTime(Instant.now.plusSeconds(15 * 60))
.awsCredentials(credentials)
.signingName("rds-db")
.signingRegion(region)
.build()
val request = SdkHttpFullRequest
.builder()
.encodedPath("/")
.host(hostname)
.port(port)
.protocol("http") // Will be stripped off; but we need to satisfy SdkHttpFullRequest
.method(SdkHttpMethod.GET)
.appendRawQueryParameter("Action", "connect")
.appendRawQueryParameter("DBUser", username)
.build()
Aws4Signer.create().presign(request, params).getUri.toString.stripPrefix("http://")
})
// Resolve the default credentials. We wrap it in a Future, because the underlying call might result
// in calls to AWS sts services, metadata services, etc and return god knows when.
protected def resolveDefaultCredentials: Future[AwsCredentials] = Future {
DefaultCredentialsProvider.create.resolveCredentials()
}
} |
|
I'd be happy to convert the above into a PR if you could tell me where you wanted the function to live. :) |
|
@solvip Thanks for the code! We've gotten a lot of feedback on 1.11.x that it's hard to find functionality like this. If you create a PR, maybe some renames would make it easier to find it? S3 is our most fleshed-out service in V2 so far, so we can look to it for how we've handled discoverability so far. We have S3Utilities and S3Presigner. This actually seems closer to What do you think about creating a |
|
@millems I actually expected to find this as part of the RDSUtilities is fine if there's precedence for it in S3. I'll open a PR, thanks! |
|
We've actually talked about having an RdsClient client = Rds.client();
RdsAsyncClient asyncClient = Rds.asyncClient();
RdsClient client = Rds.clientBuilder().build();
RdsAsyncClient asyncClient = Rds.asyncClientBuilder().build();
RdsUtilities utilities = Rds.utilities();
RdsUtilities utilities = Rds.utilitiesBuilder().build(); |
|
Any progress on this? |
|
@millems I'm not sure if it would make sense to put this into the generic Rds client. Most of the RDS API functionality is "control plane" activity, whereas generating a password is more of a "data plane" activity (it's not actively accessing the database, but it's a prerequisite for doing that and only that). Most applications likely either access the RDS control plane XOR data plane. |
|
Any updates on this? This would be a very useful feature |
|
Sorry, no updates at this time. Please +1 the root issue to express support for it. That helps us with prioritization. |
|
Feature added via #2057, released in SDK version |
|
I'm trying to use V2 SDK for RDS to establish a JDBC connection to an RDS instance using IAM DB authentication. But the example in the tutorial uses the auth package in the V1 sdk. I don't see an equivalent package in the V2 RDS module. Would be great if someone could point me to the right place in V2 for doing the same. Thanks
The text was updated successfully, but these errors were encountered: