add support for AWS IAM authentication for postgres #1858
Conversation
github-actions
bot
added
area/CLI
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
|
recheck |
|
Thanks for the prompt feedback @josephschorr! I hid the AWS details behind the Can you let me know how this looks? |
j-white
force-pushed
the
jw/aws-iam-auth
branch
from
30cef58
to
babf71c
Compare
github-actions
bot
added
the
area/tooling
j-white
force-pushed
the
jw/aws-iam-auth
branch
from
9771f11
to
14cc2bb
Compare
|
@j-white please run |
|
thanks @vroldanbet - de-lintified now if the checks pass, I'll rebase and squash the commits |
|
@j-white another one, sorry it's annoying, you have to go and run |
j-white
force-pushed
the
jw/aws-iam-auth
branch
from
aab04ea
to
c98612b
Compare
|
🤞 |
|
thanks for the feedback, I'll work on adding support for MySQL next |
MySQL support here: https://github.com/j-white/spicedb/compare/jw/aws-iam-auth...j-white:spicedb:jw/mysql-iam-auth?expand=1 Will open a separate PR once we get this one through. |
|
@j-white sorry for the delayed review, it's been a slowish week with folks OoO, we'll get to this, thank you so much for the contribution! |
| Get(ctx context.Context, dbHostname string, dbPort uint16, dbUser string) (string, string, error) | ||
| } | ||
|
|
||
| var NoCredentialsProvider CredentialsProvider = nil |
There was a problem hiding this comment.
no worky pkg/datastore/credentials.go:24:29: invalid constant type CredentialsProvider
return the NoCredentialsProvider (aka nil) when given a empty string
pkg/datastore/credentials.go
Outdated
| // NewCredentialsProvider create a new CredentialsProvider for the given name | ||
| // returns an error if no match is found, of if there is a problem creating the given CredentialsProvider | ||
| func NewCredentialsProvider(ctx context.Context, name string) (CredentialsProvider, error) { | ||
| if name == "" { |
There was a problem hiding this comment.
the default value for the cmd flag is "", so we treat this as a valid option and return the NoCredentialsProvider
I can add a comment to this effect, or take a different approach?
There was a problem hiding this comment.
Ideally, the empty string is handled at the caller and NewCredentialsProvider is never called with an empty name
There was a problem hiding this comment.
sounds good, will go with that then
Here we add support for AWS IAM authentication for the postgres datastore
This fixes #659
Verified this works in two different cases:
datastore migrate headcommand via shell with SSO authenticationservecommand on ECS (Fargate) with a task role that has therds-db:connectpermissionIn each case we're able to load the AWS credentials, generate an IAM token for the DB and authenticate successfully