Enable AWS IAM authentication for the init method

[nmaynes]

Enable the regresql init method to work with AWS IAM authentication. Im not sure what the best method would be but a flag to use iam may be appropriate. Then a function similar to the following could be used to generate the necessary tokens.

package main

import (
	"database/sql"
	"fmt"

	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/service/rds/rdsutils"
	_ "github.com/lib/pq"
)

func main() {
    dbName := "app"
    dbUser := "jane_doe"
    dbHost := "mydb.123456789012.us-east-1.rds.amazonaws.com"
    dbPort := 5432
    dbEndpoint := fmt.Sprintf("%s:%d", dbHost, dbPort)
    region := "us-east-1"

    creds := credentials.NewEnvCredentials()
    authToken, err := rdsutils.BuildAuthToken(dbEndpoint, region, dbUser, creds)
    if err != nil {
        panic(err)
    }

    dsn := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s",
        dbHost, dbPort, dbUser, authToken, dbName,
    )

    db, err := sql.Open("postgres", dsn)
    if err != nil {
        panic(err)
    }

    err = db.Ping()
    if err != nil {
        panic(err)
    }
}

See the AWS IAM docs for more details on handling connections.

[nmaynes]

Tried to utilize this tool for some scripts and found lack of IAM support to be a blocker. Not sure how many people would need this functionality and in time I may be able to submit a PR for it. Wanted to get an issue up to start discussion. Thanks!

[Qu4tro]

Quick question @nmaynes,

Could the same result be achieved, by supporting PGPASSWORD or .pgpass and running something akin to:
PGPASSWORD="$(aws rds generate-db-auth-token --hostname {db or cluster endpoint} --port 3306 --username {db username})" regresql ...

I understand the redundancy, but I feel like if these were available, a small wrapper script (which could source data from the .yaml), would suffice.

[nmaynes]

I did a bit of digging this weekend to figure out how it could be handled. I think the PGPASSWORD environment variable could work but did not get a working example locally. My attempts were probably insufficient since I am not sure I escaped the token that got returned correctly.

The AWS Go SDK docs appear to be out of date for requesting an RDS token which has made the process a little trickier than I thought. In their Github repo they have an example to request an IAM token that looks for multiple environment variables but not PGPASSWORD.

iam_authentication <region> <db user> <db name> <endpoint to database> <iam arn>

[nmaynes]

I took some time to see if I could get the PGPASSWORD approach to work. I tried to use a strings.Builder object. Hopefully the sample below conveys my approach.

var postgresConnection strings.Builder

		postgresConnection.WriteString(
			fmt.Sprintf("user=%s dbname=%s sslmode=verify-full port=%s host=%s password=%s",
				"username",
				"databasename",
				"5432",
				"host-name.amazonaws.com",
				"PGPASSWORD VALUE"))

		pguri := postgresConnection.String()

I ran into a problem with adding the SSL flag and certificate to the string. I could not get it to work. I took a look at one approach but realized my Go abilities need to be a bit stronger to make the changes to this module.