Allow registering custom CredentialProviders for per-conn passwords #1041
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KJTsanaktsidis
force-pushed
the
ktsanaktsidis/credential_provider
branch
from
269e10c to
ecdfc32
Compare
When using a temporary credential system for MySQL, for example IAM database authenticaiton on AWS or the Database secret backend for Hashicorp Vault, it may not be the case that the same username and password be used for opening every connection in a *sql.DB. This PR adds funcionality whereby the caller can, instead of specifying cfg.User and cfg.Passwd (in the DSN as user:pass@...), specify a CredentialProvider= arguemnt which refers to a callback registered with RegisterCredentialProvider. When a new connection is to be opened, if the CredentialProvider callback is specified, that is called to obtain a username/password pair rather than using the values from the DSN.
KJTsanaktsidis
force-pushed
the
ktsanaktsidis/credential_provider
branch
from
ecdfc32 to
33d6e68
Compare
|
Apologies - apparently go modules really doesn't like branches with slashes in them, so I can't actually use this branch to test out my changes in another project. So I'm closing this and opening #1042 with a better branch name on my end. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
When using a temporary credential system for MySQL, for example IAM database authenticaiton on AWS or the Database secret backend for Hashicorp Vault, it may not be the case that the same username and password be used for opening every connection in a
sql.DB.This PR adds funcionality whereby the caller can, instead of specifying
cfg.Userandcfg.Passwd(or in the DSN as user:pass@...), specify acredentialProvider=argument which refers to a callback registered withRegisterCredentialProvider.When a new connection is to be opened, if the
CredentialProvidercallback is specified, that is called to obtain a username/password pair rather than using the values from the DSN.We need this in order to use it with IAM database authentication for Aurora. With IAM database authentication, the "password" you use to connect is in fact a signed token generated with https://docs.aws.amazon.com/sdk-for-go/api/service/rds/rdsutils/#BuildAuthToken. However, the token is signed with an expiry of 15 minutes; so, if a
sql.DBis constructed with such a token as the password, the database driver will fail to open any new connections after 15 minutes. By allowing a callback to be used to generate the password, we can re-sign it each time, so that it stays valid.Although the AWS Aurora usecase only requires changing the password, I suspect some users of the database secrets engine in Hashicorp vault (https://www.vaultproject.io/docs/secrets/databases/mysql-maria.html) will find it useful to be able to change the username as well; Vault works by creating temporary users in the database, so when they expire, vault deletes the actual users out of MySQL and replaces it with one named differently. So this usecase would require being able to change the username in the callback as well as the password.
Anyway, keen to get some 👀 on this and see if people think this would be a useful addition to the library!
Checklist