![]() We can use this hook to modify the db credentials before any connection is made. Go implementationįortunately pgx has recently added a BeforeConnect hook to its API. This approach seems very hacky and is not elegant. So we would have to close the pools and re-initialize everything again. But we cannot really close the connections within a pool as these are self-managing pools. So we would need a timer to refresh the token every 15 mins. Now if we were to reuse the IAM token, we would have to keep track of them. That means if a pool has 50 connections, all the connections are not stood up when the app starts, the connections are added to the pool as and when queries/transactions arrive. Now this adds an additional layer of complexity. Pooling keeps the connections active so that, when a connection is later requested, one of the active ones is used in preference to having to create another one. You have to open up network sessions, authenticate and so on. Typically, opening a database connection is an expensive operation. Database Poolingĭatabase connection pooling is a method used to keep database connections open so they can be reused by others. It would be fair to assume that most real-world production systems leverage pooling. But when I was trying to implement this, the problem I faced was that we used client side database pools. How can this be used to connect to Postgres in go/pythonĪWS has quite good documentation for connecting with Postgres/RDS using IAM tokens instead of passwords in go as well as in python. We use this token to connect to Postgres instead of the password. AWS SDK signs the token with the access key ID and the secret access key. How this is achieved is using AWS's Signature v4 signing process. So it is completely okay to generate a new token every time a new connection is made. No network call is made to fetch the token from AWS. Important thing to note is that the token is generated on the client side. The AWS SDK for go in case of Golang or boto3 in case of Python is used to generate a new token every time a db connection needs to be made. The AWS SDK will programmatically create and sign an authentication token. Using this authentication we can avoid keeping the password in the code/config. Network traffic to and from the database is encrypted using Transport Layer Security (TLS). If you try to connect using an expired token, the connection request is denied. After you generate an authentication token, it's valid for 15 minutes before it expires. ![]() An authentication token is a string of characters that you use instead of a password. With IAM database authentication, you use an authentication token when you connect to your DB instance. In this blog I will not go into the details of creating and attaching an IAM role/policy, there are a lot of resources available for this. ![]() Or how to use/refresh IAM tokens when using django and python. In this article we will talk about how to periodically refresh the token when using pgx as the postgres driver in go. We can create IAM policies for RDS and attach it to an EC2 instance and the EC2 will be able to connect with RDS using an IAM token instead of the password. In this article I will be discussing how to connect to Postgres RDS from Python using django and also using Go when using IAM authentication.ĪWS supports IAM Roles to authenticate with RDS instead of conventional username password.
0 Comments
Leave a Reply. |