reegnz
commented
3 years ago I've noticed that this project basically does almost the same thing I am requesting: https://github.com/mothership/rds-auth-proxy Difference is that I'd run the client in a sidecar to each pod trying to access the DB.
Community Note
Tell us about your request What do you want us to build?
A kubernetes sidecar similar to https://github.com/GoogleCloudPlatform/cloudsql-proxy that we can use together with the IAM Roles for Service Accounts feature to be able to connect to RDS databases transparently using IAM instead of RDS passwords. Ideally the sidecar could be injected with an annotation by a mutating admission controller.
Which service(s) is this request for? EKS, but such a proxy would also be useful outside kubernetes.
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? I want my applications running in EKS to connect to RDS without having to use static passwords. Since you can use AWS IAM to get a temporary db auth token it would make sense to build a database proxy that can do that for you transparently. You'd connect to the proxy on 127.0.0.1:5432 and the proxy authenticates to RDS and forwards all traffic to RDS after that.
I didn't encounter any solution yet that allows for connecting to RDS from existing applications with IAM without modifying the application source code.
Are you currently working around this issue? I'm thinking about writing the proxy and the admission controller myself, but even if that's the case it would be great if AWS would own the codebase.