RDS.Signer is not implemented?

[isaacl]

RDS.Signer is the V2 impl for RDS IAM token generation. I don't see that here?

[willfarrell]

I'm currently updating https://github.com/middyjs/middy. Would really like to include the middleware that allows this in the next release.

[nwitte-rocketloans]

This is something that is needed because there is no other way of doing this outside of the CLI or aws-sdk v2.

[clafollett]

I agree with @nwitte-rocketloans , we are in the process of green fielding a new architecture and were looking to use IAM auth for Aurora PostgreSQL. All of our lambdas will be written against aws-sdk v3.

[xsalazar]

Would also love to see this implemented in v3

[bendrucker]

I tried to implement this using the @aws-sdk packages. The implementation in v2 is pretty hacky and the low level packages in v3 should make signing a lot simpler and more comparable to other SDKs. The function below generates URLs that are structurally valid (all the same query params as the CLI) but in my testing are not accepted by a database, presumably because of a signature mismatch.

const { HttpRequest } = require('@aws-sdk/protocol-http')
const { SignatureV4 } = require('@aws-sdk/signature-v4')
const { Hash } = require('@aws-sdk/hash-node')
const { formatUrl } = require('@aws-sdk/util-format-url')

async function getAuthToken({ hostname, port, username, region, credentials }) {
  const protocol = 'https'

  const signer = new SignatureV4({
    service: 'rds-db',
    region,
    credentials,
    sha256: Hash.bind(null, 'sha256')
  })

  const request = new HttpRequest({
    method: 'GET',
    protocol,
    hostname,
    port,
    query: {
      Action: 'connect',
      DBUser: username
    }
  })

  const presigned = await signer.presign(request, {
    expiresIn: 900
  })

  return formatUrl(presigned).replace(`${protocol}://`, '')
}

credentials can be a CredentialProvider or a literal Credentials object.

For now I'm calling out to the CLI which is acceptable in the context I need RDS access via IAM. If anyone wants to keep debugging, using a mocked time and an expected signature/URL could be helpful. Happy to take up a PR or just be able to share a working userland implementation if anyone can spot the issue.

[70nyIT]

Definitively something needed!

[avivek]

Is this something that is being considered?
Would really love to have this feature.

[MasterOdin]

@bendrucker Thanks for posting that code. It looks like you were just missing the headers object on the request with host key:

  const request = new HttpRequest({
    method: 'GET',
    protocol,
    hostname,
    port,
    query: {
      Action: 'connect',
      DBUser: username,
    },
    headers: {
      host: `${hostname}:${port}`,
    },
  });

Doing this, I was able to connect and successfully query the DB!

[bendrucker]

Really appreciate the extra eyes @MasterOdin, that's a good catch! Figured it was something simple that was missing. I went ahead and published https://github.com/bendrucker/aws-sdk-js-v3-rds-signer to make this easy to adopt.

npm install --save aws-sdk-js-v3-rds-signer

The Signer object is pretty similar to the v2 one but it just returns a promise for the token directly. If you have issues/comments, please open issues on that repo to avoid creating noise for subscribers here.

In the (private) project where I'd previously called out to the AWS CLI I was able to successfully swap over to this and connect.

[mikicho]

Thanks @bendrucker! I can't believe this isn't fixed already. maybe consider opening a PR?

[willfarrell]

Looks like last July this was a To Do within High Priority (https://github.com/aws/aws-sdk-js-v3/projects/1). Lets hope it will be resolved soon.

[benasher44]

Looks like it's being implemented here: #3084

[trivikr]

Implemented in #3084

It will be released with v3.98.0 today.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.