boundary icon indicating copy to clipboard operation
boundary copied to clipboard
verified publisher icon hashicorp

Support Postgres IAM authentication or password rotation

Open dkrutsko opened this issue 4 years ago • 1 comments

As far as I can tell, the only way to connect to the PostgreSQL backend is by using a non-expiring password. Since we're using Amazon RDS, I would like the ability for Boundary to support IAM-authenticated database access. Essentially, the idea is that connections would persist, however, upon opening new connections to the backend database, Boundary would request a new authentication token from AWS, at most every 15 minutes, since that's how often these authentication tokens last.

Alternatively, maybe some kind of integration with Vault would be nice. That is, supporting Vault in the configuration file to retrieve the database password and update it when it changes. That would allow us to at least rotate the password every now and then without having to restart the Boundary controller.

dkrutsko avatar Dec 02 '21 15:12 dkrutsko

Im about to test it but it might actually be already possible. boundary supports

Either URL can refer to a file on disk (file://) from which a URL will be read

in the url field.

related https://github.com/janikgar/boundary-chart/tree/d3dabbb8d5df487471708a6701aaf10336e9d2b2

wokalski avatar Apr 02 '22 16:04 wokalski