Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Refresh RDS IAM token #2633
This PR adds a goroutine to update the IAM token used for RDS authentication. The token is immediately generate to not delay server start and refreshed every 10 minutes. The token updates the database connection details globally used so as connections are created in the pool the latest token is used.
This change is backwards compatible with plain text password authentication.
Semi related (not required PR): #2620
Few things to check:
If using MilMove AWS environment refer to IAM Doc on how to connect.
Testing IAM auth
./bin/milmove serve --db-iam --db-iam-role DB_ARN \ --db-region us-east-2 \ --db-host rdstest.chsgqg6ccrq7.us-east-2.rds.amazonaws.com \ --db-ssl-mode verify-full --db-ssl-root-cert PATH/TO/CERT --db-user db_user
Browse for longer than 15 minutes as the original IAM token will have expired.
Testing Plain Text: simply run local dev environment which uses plain text password for database auth
Code Review Verification Steps
@@ Coverage Diff @@ ## master #2633 +/- ## ======================================== + Coverage 55.4% 56.2% +0.8% ======================================== Files 271 242 -29 Lines 12453 11873 -580 ======================================== - Hits 6894 6667 -227 + Misses 4858 4513 -345 + Partials 701 693 -8
Decided to revert a commit that used the existing pq driver for plain text auth and the custom driver for RDS. This was a work around for the real problem that affects both plain text and IAM auth for the custom driver. CI was telling me something and I ignored it, so now it will always test both ways.
More info here: jmoiron/sqlx#559