New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[QUESTION]: Connecting to Amazon RDS with IAM credentials using TypeORM #4724
Comments
@achansonjr Fix is in #5673. Thankfully this exact feature was added to password: async () => {
if(process.env.DB_CONNECTION_STYLE === "rds_iam") {
const signer = new AWS.RDS.Signer({
region: (new AWS.Config()).region,
hostname: process.env.DB_HOST,
port: Number(process.env.DB_PORT),
username: process.env.DB_USERNAME,
});
return signer.getAuthToken({});
}
return process.env.DB_PASSWORD;
}, |
@robbiet480 I am using @nest.js/typeorm. I tried to pass this function but it gives error that PAM authentication failed for user.. it works fine I fetch the token and pass it. Can you please help. I am also using IAM authentication and wants to auto-renew this token. Do I need to create connection on each request or is there any other way? |
@Sachin1678 This solution worked for me for both aws rds proxy IAM auth and aws rds cluster IAM auth without any issue it renews the token from time to time and keeps the connection with the rds |
Issue type:
[X] question
[ ] bug report
[ ] feature request
[ ] documentation issue
Database system/driver:
[ ]
cordova
[ ]
mongodb
[ ]
mssql
[ ]
mysql
/mariadb
[ ]
oracle
[X]
postgres
[ ]
cockroachdb
[ ]
sqlite
[ ]
sqljs
[ ]
react-native
[ ]
expo
TypeORM version:
[X]
latest
[ ]
@next
[ ]
0.x.x
(or put your version here)Steps to reproduce or a small repository showing the problem:
Other environment considerations.
Postgres instance in AWS RDS, using AWS IAM authentication.
How do I allow users to connect to Amazon RDS with IAM credentials?
Using RDS.Signer we generate a token in our node application at application startup.
So that's our ConnectionOptions object. We are able to connect to the entity, and even have migrations running. So we know that the token that is being generated is providing us an active connection. We pass our repos to the routes that need access to those entities throughout our express app.
According to IAM Database Authentication for MySQL and PostgreSQL:
What happens next is that after 15 minutes the AWS IAM token generated by
RDS.Signer
goes away and we don't have a way to refresh the connection in Typeorm, nor in our repositories.We don't really want to recreate a token every request, but there doesn't seem to be a way to use ephemeral credentials in IAM RDS authentication with Typeorm, as there doesn't seem to be a good location to have Typeorm connection or repositories check to see if their connection is still valid, then regenerate whatever ephemeral credentials that might be necessary.
We can use named user accounts in the RDS Postgres database, but thought it would be nice from a security standpoint to be able to utilize the AWS IAM RDS token generation off of the EC2 ephemeral role capability.
The text was updated successfully, but these errors were encountered: