RDS IAM Database Authentication

[md5]

Are there any plans for this gem to support RDS IAM Database Authentication?

[mullermp]

Thanks for opening up an issue. We didn't have specific plans to add this (mainly because we hadn't considered it for aws-sdk-rails). I'm happy to make this as a feature request and contributions are always welcome. What did you have in mind for supporting this feature? The Ruby SDK does have an abstraction for this - https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/RDS/AuthTokenGenerator.html

[md5]

@mullermp I think since the tokens have a lifetime of 15 minutes, any implementation would need to be aware of that and would need to regenerate the token for new connections in the connection pool if the token has expired (or on a reconnect). The ActiveRecord internals for this don't seem particularly well-documented from what I could see, but I think it would probably need a wrapper adapter that knows about these details and delegates to the standard ActiveRecord adapter.

So in terms of a developer interface, I could imagine something like this (assuming that DATABASE_URL is providing the RDS hostname and database name):

default: &default
  adapter: aws-rds-iam
  delegate_adapter: postgresql
  encoding: unicode
  sslmode: require
  pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>

production:
  <<: *default
  username: some_user

The aws-rds-iam adapter would supply the generated token to the PostgreSQL adapter in this case as the normal password setting.

[md5]

Looking closer at AuthTokenGenerator, it's just creating a presigned request and has no dependencies on any outside services, so it seems like it could just blindly create a new token any time a password is needed without regard to whether any previous token has expired or not.

[md5]

FWIW, there is a gem that enables RDS IAM authentication specifically for pg via monkey patching: https://github.com/haines/pg-aws_rds_iam