Open md5 opened 2 years ago
Thanks for opening up an issue. We didn't have specific plans to add this (mainly because we hadn't considered it for aws-sdk-rails). I'm happy to make this as a feature request and contributions are always welcome. What did you have in mind for supporting this feature? The Ruby SDK does have an abstraction for this - https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/RDS/AuthTokenGenerator.html
@mullermp I think since the tokens have a lifetime of 15 minutes, any implementation would need to be aware of that and would need to regenerate the token for new connections in the connection pool if the token has expired (or on a reconnect). The ActiveRecord internals for this don't seem particularly well-documented from what I could see, but I think it would probably need a wrapper adapter that knows about these details and delegates to the standard ActiveRecord adapter.
So in terms of a developer interface, I could imagine something like this (assuming that DATABASE_URL
is providing the RDS hostname and database name):
default: &default
adapter: aws-rds-iam
delegate_adapter: postgresql
encoding: unicode
sslmode: require
pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
production:
<<: *default
username: some_user
The aws-rds-iam
adapter would supply the generated token to the PostgreSQL adapter in this case as the normal password
setting.
Looking closer at AuthTokenGenerator
, it's just creating a presigned request and has no dependencies on any outside services, so it seems like it could just blindly create a new token any time a password is needed without regard to whether any previous token has expired or not.
FWIW, there is a gem that enables RDS IAM authentication specifically for pg
via monkey patching: https://github.com/haines/pg-aws_rds_iam
Are there any plans for this gem to support RDS IAM Database Authentication?