Support RDS IAM authentication

crossplane-contrib / provider-sql

An SQL provider for @crossplane

https://crossplane.io

Apache License 2.0

108 stars 64 forks source link

Support RDS IAM authentication #106

Open dudicoco opened 2 years ago

dudicoco commented 2 years ago

Hi,

It seems that currently RDS IAM authentication for mysql/postgresql users is not possible with the provider.

Here are the official docs: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html

For mysql it is necessary to set AWSAuthenticationPlugin when creating the user.

For postgresql the user must be granted the rds_iam role.

This possible with the Terraform providers: https://registry.terraform.io/providers/bangau1/mysql/latest/docs/resources/user https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/postgresql_grant_role

ntdt commented 1 year ago

The rds_iam role could not be referenced because of the unauthorized charater _ in the metadata.name so impossible to grant the rds_iam membership to a new role.

apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Role
metadata:
  name: rds_iam
spec:
  forProvider:
    privileges:
      login: false
      inherit: true

will fail with error

Role.postgresql.sql.crossplane.io "rds_iam" is invalid: metadata.name: Invalid value: "rds_iam": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

AdamRussak commented 1 year ago

Hi, I want to add the AWSAuthenticationPlugin to MySQL.

Would someone be able to point me to / guide me? I'm good with GO but didn't contribute here yet :)

tenitski commented 2 months ago

This works for RDS IAM auth:

apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: default
spec:
  defaultDatabase: example
  sslMode: require
  credentials:
    source: PostgreSQLConnectionSecret
    connectionSecretRef:
      namespace: default
      name: example-secret
---
apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Role
metadata:
  name: examplerole
  annotations:
    crossplane.io/external-name: "you_can_also_have_underscores_in_role_name"
spec:
  forProvider:
    privileges:
      login: true
---
apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Grant
metadata:
  name: mainrole
spec:
  forProvider:
    memberOf: exampleuser
    roleRef:
      name: examplerole
---
apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Grant
metadata:
  name: iamrole
spec:
  forProvider:
    memberOf: rds_iam
    roleRef:
      name: examplerole