Support retrieving db password via callback #1873
Comments
|
Why not just recreate the pool object when you get a new password? |
|
@vitaly-t Existing connections |
|
Same problem here. Trying to Monkey patch the Client.connect method right now. |
|
I am testing the following right now: (Coffeescript) |
|
Seems to work. |
|
@kellertobias That wouldn't work if retrieving the password is an async operation. You would need to wait for it to complete prior to continuing the callback. I took a peek at the code and turns out this wasn't that bad to add. See #1926 for a PR that adds this feature. It'll need at least one test added prior to being merged, but would be good if you can try it out and see if it works for your use case. |
|
Works if using meteor with future/fibers and so making the async operation look sync ;) |
|
This was successfully fixed via #1926. Here's an example: password: async () => {
if(process.env.DB_CONNECTION_STYLE === "rds_iam") {
const signer = new AWS.RDS.Signer({
region: (new AWS.Config()).region,
hostname: process.env.DB_HOST,
port: Number(process.env.DB_PORT),
username: process.env.DB_USERNAME,
});
return signer.getAuthToken({});
}
return process.env.DB_PASSWORD;
}, |
RDS postgres supports connecting via an "IAM Authentication Token", which lasts 15 minutes, and is used as the password when connecting to the database. I can't see any way to connect like this with pg, since the password is a static value passed at pool creation time. Ideally, the pool would be able to retrieve a new password whenever it needs to create a new connection.
I think the ideal API for this would be something like this - note the getPassword function needs to be asynchronous:
I am most likely available to work on this issue, but keen to get maintainer approval first before I write any code.
More details here:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.AWSCLI.PostgreSQL.html
The text was updated successfully, but these errors were encountered: