The standard pattern for using sql.OpenDB with a service like AWS' RDS IAM Auth that requires real-time password refresh is to implement one's own driver.Connector - an interface from the standard database/sql/driver package. There's an example implementation given here. Basically, one can create a new pgdriver.Connector every time credentials are refreshed, and implement the two methods on driver.Connector by calling the same methods on pgdriver.Connector. Here's a sketch with error handling stripped out:
NewListener currently does a typecast to pgdriver.Driver and then uses the pgdriver.Connector from there for the lifetime of the listener.
The trouble with limiting oneself to pgdriver.Connector is that it doesn't get the credential refresh mentioned above. With RDS IAM Auth the password expires every 15mins and cannot be extended - a new password is needed. Later on if reconnect tries to make a new connection using the db creds from the time of instantiation in NewListener it will be stuck with a password that may have expired. Consider making use of an interface instead for what's stored in NewListener to allow the client to implement credential refresh. Alternatively, support just-in-time option modification like this to solve the same problem https://github.com/jackc/pgx/issues/676.
The standard pattern for using
sql.OpenDB
with a service like AWS' RDS IAM Auth that requires real-time password refresh is to implement one's owndriver.Connector
- an interface from the standarddatabase/sql/driver
package. There's an example implementation given here. Basically, one can create a newpgdriver.Connector
every time credentials are refreshed, and implement the two methods ondriver.Connector
by calling the same methods onpgdriver.Connector
. Here's a sketch with error handling stripped out:NewListener currently does a typecast to
pgdriver.Driver
and then uses thepgdriver.Connector
from there for the lifetime of the listener.The trouble with limiting oneself to
pgdriver.Connector
is that it doesn't get the credential refresh mentioned above. With RDS IAM Auth the password expires every 15mins and cannot be extended - a new password is needed. Later on ifreconnect
tries to make a new connection using the db creds from the time of instantiation inNewListener
it will be stuck with a password that may have expired. Consider making use of an interface instead for what's stored inNewListener
to allow the client to implement credential refresh. Alternatively, support just-in-time option modification like this to solve the same problem https://github.com/jackc/pgx/issues/676.