spicedb
spicedb copied to clipboard
authzed
Support IAM database authentication for Postgres datastore
As of now, there is only support for username:password in the connection string for Postgres. For those who use an AWS's hosted Postgres, it's preferable to use IAM database authentication.
@josephschorr Sure! A good starting point for documentation would be: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.Connecting.Go.html
cc @ecordell who will probably have opinions on the UX of how this is configured
I'm not sure what the best CLI UX looks like for this feature.
Because it looks like the password field is overloaded to provide this functionality, there is an interesting workaround that could be done now: write a tiny program that prints the output of rdsutils.BuildAuthToken() and then just use that value for the password on the SpiceDB serve command: spicedb serve --datastore-engine postgres --datastore-uri "host=blahblah password=$(myProgram) ...".
@jzelinskie I think we would need to provide a way to refresh at runtime, because the AWS Auth token has an expiration deadline.
You're totally right that the value actually is short-lived. There's a lot of good discussion on this issue for our Postgres library. It looks like we should decide the UX for this and then we can add a BeforeConnect hook for connections to inject the "password" into the config.
It looks like the postgres library supports an environment variable that specifies a password file whose value is read at connection time. If that's right then one way of using IAM database authentication today for a SpiceDB Postgres datastore is to run a script that re-writes the file at an interval appropriate for keeping credentials valid. Maybe some people might prefer the service file over the password file.
