Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add IAM authentication support to normal Postgres (i.e. for AWS RDS Postgres) #1514

Open
wants to merge 34 commits into
base: master
Choose a base branch
from
Open

feat: add IAM authentication support to normal Postgres (i.e. for AWS RDS Postgres) #1514

wants to merge 34 commits into from
+1,889 −233

Conversation

ndom91
Copy link
Contributor

@ndom91 ndom91 commented Feb 18, 2023
edited

Changes

  • Primarily added support for IAM Authentication based on ~/.aws/credentials profiles for RDS Postgres.
  • I initially tried to rename the redshiftOptions to iamOptions to make it more general, but had issues with the migration on the sqlite db in relation to detecting if a column exists and has a certain name and only if thats true, rename it. So I just (mis)used redshiftOptions directly for this Postgres IAM auth as well 😅
  • Added @aws-sdk/* to vue's transpileDependencies because newer features like nulllish coalescing inside those packages was breaking the build, I guess this electron version is on a slightly older version of node(?)

Notes

Screenshot

image

@ndom91
feat: migrate redshiftOptions to iamAuthOptions
5b94159
@ndom91
chore: add 'used_connection.redshiftOptions' rename
d106428
@ndom91
chore: use AWS.RDS.Signer to get RDS signed auth token
b0628f6
@ndom91
feat: use AWS.RDS.Signer
e3d9766 
	modified:   apps/studio/src/background/NativeMenuBuilder.ts
@ndom91
chore: fix iamAuthOptions type
f5983d9
@ndom91
chore: revert iamAuthOptions changes
31c09a6
@ndom91
chore: WIP credentials fromIni
ea1b2aa
@ndom91
fix: postgres client config for rds iam auth
63b9243
@ndom91
fix: updated postgresql.ts client file
c89132e
@ndom91
feat: add iamoptions to postgres form and client
40d2077
@ndom91
fix: clean up eslint and add vue-eslint-parser
d9f089e
@ndom91
chore: cleanup babel.config.js
f0b2e4b
@ndom91
chore: cleanup saved_connection.ts
2b249fc
@ndom91
chore: cleanup postgres.ts client
b1efa7c
@ndom91
Merge branch 'master' into ndom91/add-general-iamoptions
62c8f2d
@ndom91
chore: cleanup eslintrc.js
efb6c8c
@ndom91
Merge branch 'ndom91/add-general-iamoptions' of github.com:ndom91/bee…
a825740 
…keeper-studio into ndom91/add-general-iamoptions
@ndom91
fix: all TS errors
e788722
@ndom91
Copy link
Contributor Author

ndom91 commented Feb 18, 2023
edited

Okay I see why TS was not setup correctly 😅

I just spent ~1hr fixing all the TS errors, its all in that last commit. I understand if you're not comfortable pushing all that in this one PR though, I can revert that last commit and disable TS/eslint again if you prefer.

I did do a good deal of clicking around and testing things though and it does all seem to still work.

Many of the ts errors were related to misuse of @ts-ignore and empty/unused methods, so shouldn't have runtime affects anyway.

@ndom91 ndom91 mentioned this pull request Feb 18, 2023
Open
@rathboma
Copy link
Collaborator

@ndom91 Thanks for the PR and for fixing a big issue with our dev setup.

Can I ask a favor - can you split this into 2 PRs? 1 to fix the IAM issue, and the other to fix eslint and tsconfig?

That way I can better manage the large changeset with my other devs.

@rathboma
Copy link
Collaborator

Also - is there a way to avoid these types of template changes?

This is a stylistic change that I think just makes it harder to merge:

image

Totally happy to merge a PR or lint and typescript fixes without the style stuff. I don't even mind the style stuff, but it's just going to make our outstanding feature branches totally broken.

@ndom91
Copy link
Contributor Author

ndom91 commented Feb 22, 2023
edited

Also - is there a way to avoid these types of template changes?

This is a stylistic change that I think just makes it harder to merge:

image

Totally happy to merge a PR or lint and typescript fixes without the style stuff. I don't even mind the style stuff, but it's just going to make our outstanding feature branches totally broken.

Yeah I was nervous about y'all declining these changes haha, but afaik they were just the default vue formatting rules yall had setup being applied again. I can take a look though.

In regard to splitting it up, yeah no problem. Makes sense 👍

@ndom91
Copy link
Contributor Author

ndom91 commented Mar 7, 2023

@rathboma okay so I've cleaned up and split all the TS/ESLint changes into their own PR.

However, I'm travelling currently for the next few days and only have my M1 MBP on me. I wasn't able to get beekeeper-studio to build or even install locally due to node-gyp / binary errors relating to better-sqlite3 and not being able to find arm binaries for it :/

Anyway, so I wasn't abel to thoroughly test these two PRs atm, but they shuold be good to go. Can you give them a shot? Or I can do it next weekend when I'm back home on my x86 desktop 👍

@rathboma
Copy link
Collaborator

rathboma commented Mar 9, 2023

This looks amazing! I need to figure out how to set up my aws credentials to test it :-).

if you have the link to a guide for setting up an rds instance with iam auth that would be very helpful!

@MasterOdin
Copy link
Contributor

@rathboma This doc https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html does a good job walking you through it I think. Enumerating out the steps / subsections from that is:

  1. Make sure you have IAM auth enabled for the RDS instance (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html)
  2. That the AWS user you wish to use has the right permission policy attached to them to allow RDS auth (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html)
  3. That you've created a DB user and have granted rds_iam to that user (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html#UsingWithRDS.IAMDBAuth.DBAccounts.PostgreSQL)

MasterOdin
MasterOdin reviewed Mar 9, 2023
View reviewed changes
Copy link
Contributor

@MasterOdin MasterOdin left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that you should have a dropdown on both the redshift and postgres pages (and this would be true also for mysql in the future) that when using AWS IAM, you can either:

  1. Use a profile
  2. Use credentials

Both the RedshiftClient that underlies redshift auth and the Signer that underlies postgres support the credentials being passed as an object with access key and secret access key, as well as support receiving credentials loaded via fromIni.

@ndom91
Copy link
Contributor Author

ndom91 commented Mar 9, 2023
edited

I think that you should have a dropdown on both the redshift and postgres pages (and this would be true also for mysql in the future) that when using AWS IAM, you can either:

  1. Use a profile
  2. Use credentials

Both the RedshiftClient that underlies redshift auth and the Signer that underlies postgres support the credentials being passed as an object with access key and secret access key, as well as support receiving credentials loaded via fromIni.

Yeah good point.

I actually initially tried to use the nodeCredentualsProvider which iterates through all aws auth options (env vars, ini, etc.) but the import wasn't working for some reason. See my first PR (can dig out the link tmr). If you can get that working that'd be great.

Also I tried to rename the redshiftOptions to be iamOptions to be more generalized, but had trouble with the sqlite migration - renaming a column only if the column exists and has a certain name. So I ended up just (mis)using redshitOptions for that here again.

I think both of those could be nice follow-up PRs though once the initial support is in!

@ndom91 ndom91 requested a review from MasterOdin March 24, 2023 10:49
@ndom91
Copy link
Contributor Author

ndom91 commented Mar 24, 2023
edited

@rathboma looks like you can setup an RDS instance with an AWS free tier account!

https://repost.aws/knowledge-center/free-tier-rds-launch

(Note: this PR is for postgres only, right, so that guide needs a bit of modification ^^)

@rathboma rathboma assigned rathboma and unassigned davidkaufman Aug 25, 2023
@rathboma
Copy link
Collaborator

I'm going to pick this back up and get it tested and updated over the next month or so, along with changes for Redshift.

@SebastiaanSafeguard
Copy link

Is there anything we could do to help land this PR?

@rathboma
Copy link
Collaborator

@SebastiaanSafeguard Yeah I'm going to have someone on the team look into this issue in the next cycle. We're updating all the drivers right now to a more managable format, so we'll probably just rewrite some of this.

@rathboma rathboma assigned wmontgomery and unassigned rathboma Mar 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MasterOdin MasterOdin Awaiting requested review from MasterOdin

At least 1 approving review is required to merge this pull request.

Assignees

@wmontgomery wmontgomery

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@ndom91 @rathboma @MasterOdin @SebastiaanSafeguard @wmontgomery @davidkaufman