Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS/EKS: Support for IAM authentication #326

Closed
headcr4sh opened this issue Nov 4, 2019 · 2 comments · Fixed by #328
Closed

AWS/EKS: Support for IAM authentication #326

headcr4sh opened this issue Nov 4, 2019 · 2 comments · Fixed by #328

Comments

@headcr4sh
Copy link
Contributor

headcr4sh commented Nov 4, 2019
edited

I am trying to connect a postgres_exporter instance running on AWS EKS (managed Kubernetes platform) to a managed AWS/RDS instance using IAM authentication methods as described here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.AWSCLI.PostgreSQL.html

My attempt to use an initContainer to obtain the access token (which is valid for a limited period of time only) works just fine:

      initContainers:
      - args:
        - -c
        - "echo \"Generating RDS authentication token\" && /usr/bin/aws rds generate-db-auth-token --hostname $(RDS_HOST) --port $(RDS_PORT) --username $(POSTGRES_USER) --region $(AWS_DEFAULT_REGION) > /etc/postgresql-exporter/aws-rds/connection && cat /etc/postgresql-exporter/aws-rds/connection"
        command:
        - /bin/sh
        envFrom:
        - configMapRef:
            name: map_that_holds_my_environment_variables
        # This image contains only the AWS CLI and since Amazon hasn't officially released a
        # container image (yet), I had to roll my own... :-(
        image: 1234567890123.dkr.ecr.eu-central-1.amazonaws.com/library/awscli:v1.16.247
        imagePullPolicy: IfNotPresent
        name: generate-db-auth-token
        resources:
          limits:
            cpu: 100m
            memory: 120Mi
          requests:
            cpu: 100m
            memory: 100Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
        volumeMounts:
        - mountPath: /etc/postgresql-exporter/aws-rds
          name: config
          readOnly: false

As you might see, the initContainer writes an RDS connection string into a file which I put onto a shared volume (tmpDir) that is accessible from the main container (postgres-exporter). Now comes the tricky part: This connection string contains the full postgresql connection string.

Example (credentials obfuscated):

my-rds-instance-name.abcdef1x2y3z.eu-central-1.rds.amazonaws.com:5432/?Action=connect&DBUser=prometheus_exporter&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900&X-Amz-Date=20191104T190218Z&X-Amz-SignedHeaders=host&X-Amz-Security-Token=SfxcvIvYXdzEEQaDGuApMrWVOItKG756iKMA4if966d5Th%2BB9IXSv6ZDGI2DXcxkO9YP1jp8oY189vtQuh1dsG7h45Uv3waOWx76gKXp%2F8D2OT2WaD8iL0P9g36VkXVD1J6RNfsdKwshSw%2B5qOuODo%2F1B%2B6ZKrQ%2BHv5oIHODixnZH8jD9NgyjVPHcqB4PTVYTaelOJtL1tQ484g5d3vT8iGvdEpaRLdLzW3IM2wPuWyvuw9R7eqwbolUHrgEIpWphsRUmIhT3tV%2BIxwjm76y093zQQViDauAEjsGQjUyw4brYN%2B7uuADcfT%2BLlQtczTZUFoobfhw%2F2zN3BqJVozuMOLYCJU9v5zkegZY8ikp%2FwWyVM0cmHF%2BsS4p54OYRGfG8NxObgOjFIxdcVvV%2FiQf%2Ff3F3fYn2WZyod3ERqHQlOvqnO6QYG0TS0kGpTHD6IknlCksVDxf%2F3akpA8O70HIq4XR4qj0jJLoAQZoMGbjDeOzm3QoGo%2FWLysVQBA1K0%2BArcnVpIQZfg6e2LtsBuyG%2BasiIqX52PW2aZ915GNldEJC8cJEKo3hSi664HuBTLyAVzWy%2B36zzWfFTx%2FKZqmPljoIdf5pIyGPhr9HN5Srv2qEBB6939Eueb1F7t2HLCQPlhZF8TrdEnAeW8qM3JihgICQldUxcpjxBFsDxhTgMe%2Fdvftl%2BCL7W74N2%2FLNofVEwDrVTwAa4XZw9TUNkrTxPVKXJl%2B7vwqPvGjfmCljANUgNW9JPg2ctAn0O7T%2F2ZoJdnFessUJ17%2F73bgQVaFJyQNq9n87J8pILqf1YUlU%2FS7eePOcVEO0Rn%2FTQyKQhcatTwAoebPgHEC04%2FbEw3PQFNtdd5C5J2y29FQEN9Pe%2BOKNCNaQAtMgq9Jlul2ljkr98tC&X-Amz-Credential=ADIAWZGGSLFRQZT43XHR%2F20191104%2Feu-central-1%2Frds-db%2Faws4_request&X-Amz-Signature=8df675ac12530eb757bffb3818681d0ff361b4e79226c0a31aac546b92e1080a

Unfortunately, it is not possible, to use that string when using the official Docker image of the postgres_exporter, because there is no way to construct the DATA_SOURCE_URI environment variable from a file like that. Overriding the container's entrypoint would be an option:

  command:
  - sh
  args:
  -c
  - "DATA_SOURCE_URI=\"postgresql://$(cat /etc/postgresql-exporter/aws-rds)\" /postgres_exporter"

But right now it is not an option, since the container does not contain a shell (which is actually a good thing when considering best container security practices, I assume).

... any help/ideas appreciated.

PS:
After having thought about it for quite some time, I suppose, a DATA_SOURCE_URI_FILE environment variable might solve all my issues. Would that make for an acceptable PR?
headcr4sh added a commit to headcr4sh/postgres_exporter that referenced this issue Nov 5, 2019
@headcr4sh
Add support for 'DATA_SOURCE_URI_FILE' envvar.
cc07d28 
Closes prometheus-community#326 as is provides a viable solution to use a K8S init container
to fully contruct the PostgreSQL URI and 'hand it over' to the postgres_exporter
process.
@headcr4sh headcr4sh mentioned this issue Nov 5, 2019
Merged
wrouesnel pushed a commit that referenced this issue Nov 19, 2019
@headcr4sh @wrouesnel
Add support for 'DATA_SOURCE_URI_FILE' envvar.
9b13f5e 
Closes #326 as is provides a viable solution to use a K8S init container
to fully contruct the PostgreSQL URI and 'hand it over' to the postgres_exporter
process.
english pushed a commit to form3tech-oss/postgres_exporter that referenced this issue Jan 31, 2020
@headcr4sh
Add support for 'DATA_SOURCE_URI_FILE' envvar.
e4cfc4f 
Closes prometheus-community#326 as is provides a viable solution to use a K8S init container
to fully contruct the PostgreSQL URI and 'hand it over' to the postgres_exporter
process.

(cherry picked from commit 9b13f5e)
english pushed a commit to form3tech-oss/postgres_exporter that referenced this issue Jan 31, 2020
@headcr4sh
Add support for 'DATA_SOURCE_URI_FILE' envvar.
1254f6c 
Closes prometheus-community#326 as is provides a viable solution to use a K8S init container
to fully contruct the PostgreSQL URI and 'hand it over' to the postgres_exporter
process.

(cherry picked from commit 9b13f5e)
@robbiet480
Copy link
Contributor

@headcr4sh Your PR is great but i'm wondering how you are triggering a token update every 15 minutes since the password expires every 15?

@headcr4sh
Copy link
Contributor Author

@robbiet480 Unfortunately, I was not able to solve any further issues with the postgres_exporter in conjunction with EKS and IAM-based ServiceAccounts.

So... I was not able to trigger the token update. :-(

(Using the posgres_exporter was just a proof-of-concept and I did not proceed any further, unfortunately,...)

@gjacquet gjacquet mentioned this issue Mar 10, 2021
Closed
ritbl pushed a commit to heniek/postgres_exporter that referenced this issue Mar 19, 2023
@headcr4sh @wrouesnel
Add support for 'DATA_SOURCE_URI_FILE' envvar.
7ba086a 
Closes prometheus-community#326 as is provides a viable solution to use a K8S init container
to fully contruct the PostgreSQL URI and 'hand it over' to the postgres_exporter
process.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for 'DATA_SOURCE_URI_FILE' envvar. headcr4sh/postgres_exporter
2 participants
@robbiet480 @headcr4sh