Using AWS IAM database authentication #1263
Comments
|
@rohittak16 Have you found a working solution? I’m trying to add IAM database authentication as well. |
matt-domsch-sp
added a commit
to matt-domsch-sp/mysql2
that referenced
this issue
Nov 10, 2024
This adds AWS IAM authentication as a replacement for defining a password in the configuration. When the configuration option :use_iam_credentials = true, an authentication token (password) will be fetched from IAM and cached for the next 14 minutes (tokens expire in 15 minutes). These can then be reused by all new connections until it expires, at which point a new token will be fetched when next needed. To allow for multiple Mysql2::Client configurations to multiple servers, the cache is keyed by database username, host name, port, and region. Two new configuration options are necessary: - :use_iam_credentials = true - :host_region is a string region name, e.g. 'us-east-1'. If not set, ENV['AWS_REGION'] will be used. If this is not present, authenticaiton will fail. As prerequisites, you must enable IAM authentication on the RDS instance, create an IAM policy, attach the policy to the target IAM user or role, create the database user set to use the AWS Authentication Plugin, and then run your ruby code using that user or role. See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html for details on these steps.
matt-domsch-sp
added a commit
to matt-domsch-sp/mysql2
that referenced
this issue
Nov 10, 2024
This adds AWS IAM authentication as a replacement for defining a password in the configuration. When the configuration option :use_iam_credentials = true, an authentication token (password) will be fetched from IAM and cached for the next 14 minutes (tokens expire in 15 minutes). These can then be reused by all new connections until it expires, at which point a new token will be fetched when next needed. To allow for multiple Mysql2::Client configurations to multiple servers, the cache is keyed by database username, host name, port, and region. Two new configuration options are necessary: - :use_iam_credentials = true - :host_region is a string region name, e.g. 'us-east-1'. If not set, ENV['AWS_REGION'] will be used. If this is not present, authenticaiton will fail. As prerequisites, you must enable IAM authentication on the RDS instance, create an IAM policy, attach the policy to the target IAM user or role, create the database user set to use the AWS Authentication Plugin, and then run your ruby code using that user or role. See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html for details on these steps.
matt-domsch-sp
added a commit
to matt-domsch-sp/mysql2
that referenced
this issue
Nov 10, 2024
This adds AWS IAM authentication as a replacement for defining a password in the configuration. When the configuration option :use_iam_credentials = true, an authentication token (password) will be fetched from IAM and cached for the next 14 minutes (tokens expire in 15 minutes). These can then be reused by all new connections until it expires, at which point a new token will be fetched when next needed. To allow for multiple Mysql2::Client configurations to multiple servers, the cache is keyed by database username, host name, port, and region. Two new configuration options are necessary: - :use_iam_credentials = true - :host_region is a string region name, e.g. 'us-east-1'. If not set, ENV['AWS_REGION'] will be used. If this is not present, authenticaiton will fail. As prerequisites, you must enable IAM authentication on the RDS instance, create an IAM policy, attach the policy to the target IAM user or role, create the database user set to use the AWS Authentication Plugin, and then run your ruby code using that user or role. See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html for details on these steps.
matt-domsch-sp
added a commit
to matt-domsch-sp/mysql2
that referenced
this issue
Nov 11, 2024
This adds AWS IAM authentication as a replacement for defining a password in the configuration. When the configuration option :use_iam_credentials = true, an authentication token (password) will be fetched from IAM and cached for the next 14 minutes (tokens expire in 15 minutes). These can then be reused by all new connections until it expires, at which point a new token will be fetched when next needed. To allow for multiple Mysql2::Client configurations to multiple servers, the cache is keyed by database username, host name, port, and region. Two new configuration options are necessary: - :use_iam_credentials = true - :host_region is a string region name, e.g. 'us-east-1'. If not set, ENV['AWS_REGION'] will be used. If this is not present, authenticaiton will fail. As prerequisites, you must enable IAM authentication on the RDS instance, create an IAM policy, attach the policy to the target IAM user or role, create the database user set to use the AWS Authentication Plugin, and then run your ruby code using that user or role. See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html for details on these steps.
matt-domsch-sp
added a commit
to matt-domsch-sp/mysql2
that referenced
this issue
Nov 11, 2024
This adds AWS IAM authentication as a replacement for defining a password in the configuration. When the configuration option :use_iam_credentials = true, an authentication token (password) will be fetched from IAM and cached for the next 14 minutes (tokens expire in 15 minutes). These can then be reused by all new connections until it expires, at which point a new token will be fetched when next needed. To allow for multiple Mysql2::Client configurations to multiple servers, the cache is keyed by database username, host name, port, and region. Two new configuration options are necessary: - :use_iam_credentials = true - :host_region is a string region name, e.g. 'us-east-1'. If not set, ENV['AWS_REGION'] will be used. If this is not present, authenticaiton will fail. As prerequisites, you must enable IAM authentication on the RDS instance, create an IAM policy, attach the policy to the target IAM user or role, create the database user set to use the AWS Authentication Plugin, and then run your ruby code using that user or role. See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html for details on these steps.
matt-domsch-sp
added a commit
to matt-domsch-sp/mysql2
that referenced
this issue
Nov 11, 2024
This adds AWS IAM authentication as a replacement for defining a password in the configuration. When the configuration option :use_iam_authentication = true, an authentication token (password) will be fetched from IAM and cached for the next 14 minutes (tokens expire in 15 minutes). These can then be reused by all new connections until it expires, at which point a new token will be fetched when next needed. To allow for multiple Mysql2::Client configurations to multiple servers, the cache is keyed by database username, host name, port, and region. Two new configuration options are necessary: - :use_iam_credentials = true - :host_region is a string region name, e.g. 'us-east-1'. If not set, ENV['AWS_REGION'] will be used. If this is not present, authenticaiton will fail. As prerequisites, you must enable IAM authentication on the RDS instance, create an IAM policy, attach the policy to the target IAM user or role, create the database user set to use the AWS Authentication Plugin, and then run your ruby code using that user or role. See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html for details on these steps. You must include the aws-sdk-rds gem in your bundle to use this feature.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am using IAM database authentication
To connect with database using IAM role works by creating a token via AWS API which is valid for 15 mins, but rails database.yml gets cached and will not be evaluated again for a new connection(which may fail after 15 min).
What would be the best way to get IAM database authentication working?
The text was updated successfully, but these errors were encountered: