Cloud iam auth

[KlausVii]

RFC for adding cloud provider auth to openfga

References

openfga/openfga#870

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

[jon-whit]

go-cloud does support AWS RDS. This issue is outdated and has since been closed.

See https://gocloud.dev/howto/sql/#aws

[KlausVii]

There some support for RDS, but it is not complete (see my other comment), final comment on the issue also implied that they did not intend to add the IAM auth

[jon-whit]

As a maintainer team we're worried about introducing these cloud specific database connection functionalities in OpenFGA, because it will be cumbersome to manage. Depending on more of a community driven and community based standard for this functionality would be preferable as it allows our maintainer team to leverage a larger community to help evolve and maintain these cloud IAM mechanisms.

For this reason, we'd like to see an exploration of the go-cloud CDK (mentioned in the Prior Art section below) before we proceed forward. Specifically,

• Are there features/functionalities that the Go Cloud CDK does not address that are pertinent to the usage patterns for these proprietary cloud IAM protocols? If so, what are the limitations? For example, can you use the assumed role functionality of AWS IAM etc..

• Does the usage of the cloud specific sql providers in the Go Cloud CDK necessitate a specific underlying driver (e.g. pgx, pql, etc..)? Or can you bring your own driver?

  From the looks of it you can use whatever underlying driver you want (see https://github.com/google/go-cloud/blob/master/samples/guestbook/wire_gen.go#L16C34-L16C34 as an example). But this needs to be confirmed.

If you'd be willing to help with this discovery @KlausVii we'd really appreciate it. If not though, our next step as a maintainer team is to do some more discovery with the go-cloud SDK and see how it works for this use case.

We have used the go-cloud SDK elsewhere and have had positive experiences with it, so we at least have some confidence in it as a potential solution.

[KlausVii]

The one feature missing from go-cloud is fetching the authentication token from AWS, which is used as the password for your db connection. The issue this causes is that the token is only valid for 15min and if it is not refreshed, new connections will fail after the token expires.

I dug through the go-cloud source code , and could not find any code for retrieving this token. They seem to only inject some certificates for the AWS connection and expect the user to provide the password (which will expire if not refreshed) at initialisation.

This is why the extra work is required for the AWS IAM auth.

As to using go-cloud as at the underlying db driver for all the implantations, that should work just fine, it just does not provide a full end to end solution for AWS like it does GCP (might be a bit of google bias given its a google library).

Do let me know if I missed something with go-cloud, happy to be proven wrong.

As far as the maintenance burden, it should not be too high. The auth token just needs be fetched, injected, and refreshed close to expiry; this amounts to about 80 LoC to keep up to date, and I imagine the AWS side will remain very stable.

My draft implementation is about an evening's of work away from completion, so if I've somewhat convinced you, I'd be happy get into shape and open up a PR to show what this whole thing would look like.

[dmunch]

Nice work! Has there been any progress on adopting this? Eliminating passwords from connection strings is such a crucial task - it seems surprising to me that this isn't more of a priority for a component central to authorization!

[KlausVii]

I just discovered that spiceDB has also implemented this for postgres and mysql

@jon-whit is openFGA still considering this?