-
Notifications
You must be signed in to change notification settings - Fork 33
iam database auth
Michael J Burling edited this page Aug 20, 2024
·
7 revisions
- ability to create an initial MFA-enabled AWS Session
- aws client
- MFA
- aws-vault
- postgresql client
- The following snippets are written in bash
- Some of the following snippets assume that you are generally using ZSH
- aws-vault configuration for MFA serial assumes an older convention for MFA devices
#!/usr/bin/env bash
read -p "Enter your CMS EUA ID: " CMS_EUA_ID
echo "export CMS_EUA_ID=${CMS_EUA_ID}" >> ~/.zshrc
if AWS_ACCOUNT_ID="$(aws sts get-caller-identity --query 'Account' --output text)"; then
cat << EOF > ~/.aws/config
[default]
credential_process=aws-vault --prompt=osascript export --format=json bfd
mfa_serial=arn:aws:iam::${AWS_ACCOUNT_ID}:mfa/${CMS_EUA_ID}
region=us-east-1
cli_pager=
[profile bfd]
[profile test-rds]
role_arn=arn:aws:iam::${AWS_ACCOUNT_ID}:role/bfd-fhirdb-test-auth
role_session_name=${CMS_EUA_ID}
source_profile=bfd
[profile prod-sbx-rds]
role_arn=arn:aws:iam::${AWS_ACCOUNT_ID}:role/bfd-fhirdb-prod-sbx-auth
role_session_name=${CMS_EUA_ID}
source_profile=bfd
[profile prod-rds]
role_arn=arn:aws:iam::${AWS_ACCOUNT_ID}:role/bfd-fhirdb-prod-auth
role_session_name=${CMS_EUA_ID}
source_profile=bfd
EOF
fi#!/usr/bin/env bash
echo "Storing latest RDS Global Bundle at ${HOME}/.local"
mkdir -p "${HOME}/.config/"
curl -o "${HOME}/.config/global-bundle.pem" https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem -s## Requires CMS_EUA_ID is defined, and can easily reside in e.g. the user's .zshrc, as below
cat <<"EOF" >> "${HOME}/.zshrc"
function rds-sql {
if [ "$1" = "" ]; then
echo 'Empty positional environment argument $1'
echo 'Try again with an environment, e.g. `rds-sql test`'
return 1
fi
if [ "$2" = "writer" ]; then
echo '**WARNING** Using the writer endpoint. Please be careful.'
ENDPOINT_QUERY="DBClusters[].Endpoint"
else
echo 'Defaulting to cluster reader endpoint.'
ENDPOINT_QUERY="DBClusters[].ReaderEndpoint"
fi
unset BFD_ENV PGHOST PGPORT PGUSER PGPASSWORD PGDATABASE PGSSLROOTCERT PGSSLMODE PGGSSENCMODE
BFD_ENV="$1"
PGHOST="$(aws rds describe-db-clusters --query "${ENDPOINT_QUERY}" --db-cluster-identifier "bfd-${BFD_ENV}-aurora-cluster" --output text)"
PGPORT=5432
PGUSER="$CMS_EUA_ID"
PGDATABASE=fhirdb
PGSSLROOTCERT="${HOME}/.config/global-bundle.pem"
PGSSLMODE=verify-full
PGGSSENCMODE=disable
if PGPASSWORD="$(aws-vault exec "${BFD_ENV}-rds" -- aws rds generate-db-auth-token --hostname "$PGHOST" --port "$PGPORT" --username "$PGUSER")"; then
export BFD_ENV PGHOST PGPORT PGUSER PGPASSWORD PGDATABASE PGSSLROOTCERT PGSSLMODE PGGSSENCMODE
echo "Environment Variables Set for ${PGHOST}"
return 0
else
echo 'Something went wrong.'
return 1
fi
}
EOF- Home
- For BFD Users
- Making Requests to BFD
- API Changelog
- Migrating to V2 FAQ
- Synthetic and Synthea Data
- BFD SAMHSA Filtering