Currently we are using AWS secrets to get credentials to access the RDS database.
The recommended security practice is to use temporary IAM tokens, which last only for 15 minutes.
Note, on today there is no direct API in Rust AWS SDK to generate IAM tokens.
In theory it should be possible to generate it via lower-level AWS SDK functions:
Currently we are using AWS secrets to get credentials to access the RDS database. The recommended security practice is to use temporary IAM tokens, which last only for 15 minutes.
See the following learningmaterial: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.AWSCLI.PostgreSQL.html
Note, on today there is no direct API in Rust AWS SDK to generate IAM tokens. In theory it should be possible to generate it via lower-level AWS SDK functions:
https://github.com/awslabs/aws-sdk-rust/issues/951
Note, current implementation is not functional and should be replaced.
One of the alternative ideas is to use AWS CLI, but that would assume adding it to API server Docker image: