-
Notifications
You must be signed in to change notification settings - Fork 266
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for AWS IAM authentication for postgres #1858
Conversation
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
I have read the CLA Document and I hereby sign the CLA |
recheck |
Thanks for the prompt feedback @josephschorr! I hid the AWS details behind the Can you let me know how this looks? |
30cef58
to
babf71c
Compare
9771f11
to
14cc2bb
Compare
@j-white please run |
thanks @vroldanbet - de-lintified now if the checks pass, I'll rebase and squash the commits |
@j-white another one, sorry it's annoying, you have to go and run |
aab04ea
to
c98612b
Compare
🤞 |
thanks for the feedback, I'll work on adding support for MySQL next |
MySQL support here: https://github.com/j-white/spicedb/compare/jw/aws-iam-auth...j-white:spicedb:jw/mysql-iam-auth?expand=1 Will open a separate PR once we get this one through. |
@j-white sorry for the delayed review, it's been a slowish week with folks OoO, we'll get to this, thank you so much for the contribution! |
Get(ctx context.Context, dbHostname string, dbPort uint16, dbUser string) (string, string, error) | ||
} | ||
|
||
var NoCredentialsProvider CredentialsProvider = nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const
(if it lets you)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no worky pkg/datastore/credentials.go:24:29: invalid constant type CredentialsProvider
return the NoCredentialsProvider (aka nil) when given a empty string
pkg/datastore/credentials.go
Outdated
// NewCredentialsProvider create a new CredentialsProvider for the given name | ||
// returns an error if no match is found, of if there is a problem creating the given CredentialsProvider | ||
func NewCredentialsProvider(ctx context.Context, name string) (CredentialsProvider, error) { | ||
if name == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the default value for the cmd flag is ""
, so we treat this as a valid option and return the NoCredentialsProvider
I can add a comment to this effect, or take a different approach?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally, the empty string is handled at the caller and NewCredentialsProvider is never called with an empty name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds good, will go with that then
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Here we add support for AWS IAM authentication for the postgres datastore
This fixes #659
Verified this works in two different cases:
datastore migrate head
command via shell with SSO authenticationserve
command on ECS (Fargate) with a task role that has therds-db:connect
permissionIn each case we're able to load the AWS credentials, generate an IAM token for the DB and authenticate successfully