documentation icon indicating copy to clipboard operation
documentation copied to clipboard
verified publisher icon strapi

Dynamic database credentials with RDS IAM DB authentication

Open tokyowizard opened this issue 2 years ago • 12 comments

Bug report

Required System information

  • Node.js version: v16
  • NPM version: 8.5.0
  • Strapi version: 4.2.2
  • Database: PostgreSQL
  • Operating system: Alpine
  • Is your project Javascript or Typescript: Typescript

Describe the bug

Could Strapi include exposing the expirationChecker function in the database connection configuration?

We have an Amazon RDS for PostgreSQL instance for our Strapi database. We would like to use IAM database authentication for PostgreSQL, where we can generate a password token that is good for 15 minutes to login to the database, instead using a fixed password. Strapi is using Knex to connect to the database. Knex has implemented an expirationChecker function to check if the token has expired. See also expirationChecker in the connection config: [1] [2]

Steps to reproduce the behavior

  1. Be able to include expirationChecker in the connection parameters (or some setting) to be able to generate AWS IAM DB tokens to connect to the database.

Expected behavior

Be able to use AWS IAM DB authentication to generate a password token to update the password before connection.

Screenshots

N/A

Code snippets

N/A

Additional context

N/A

tokyowizard avatar Jul 07 '23 01:07 tokyowizard

If I am correct the data inside the strapi db config is given directly to knex.

Aka this should already be posible but not documented

I am not sure since I did not test this.

Boegie19 avatar Jul 08 '23 16:07 Boegie19

Thank you for the reply! Yes, it's working with IAM DB auth. 👍

tokyowizard avatar Jul 14 '23 08:07 tokyowizard

Ticket needs to be moved to documentation since we should improve the documentation on this.

Boegie19 avatar Jul 14 '23 09:07 Boegie19

Ticket needs to be moved to documentation since we should improve the documentation on this.

I can move it, can you explain in a couple of sentences what documentation improvements you're expecting please?

joshuaellis avatar Jul 14 '23 09:07 joshuaellis

We need to document better that we give everything given to the database file is given to knex. and link to knex its documentation for it. so that it is more clear what people that they can use all knex fetures

Boegie19 avatar Jul 14 '23 09:07 Boegie19

@tokyowizard Hello! I'm hoping for some help here please! I'm trying to implement the same approach using aws iam database auth for postgresql but it looks like knex requires a function as the database connection config in order to use the custom expirationChecker function. When I use a function for the strapi database connection config, I get an error on startup TypeError: Cannot read properties of undefined (reading 'schema') from this code block

How exactly were you able to get the expirationChecker behavior working? If possible, can you please include an example of the database connection config?

Thanks

evan-thinksync avatar Oct 02 '23 13:10 evan-thinksync

@evan-thinksync TS config for this one is wrong. if you ignore the TS warning it should work.

Boegie19 avatar Oct 02 '23 13:10 Boegie19

@Boegie19 I'm new to js/ts, how would I ignore the TS warning inside of the strapi/database/lib/connection.js file? return Object.assign(knexInstance, { getSchemaName() { return this.client.connectionSettings.schema; }, }); connectionSettings is undefined here when using a function for strapi's database.connection.connection config

evan-thinksync avatar Oct 03 '23 10:10 evan-thinksync

+1 for this documentation. I'm able to authenticate Strapi to the database with an IAM token, but content manager is inaccessible after the token expires. I get the same error as @evan-thinksync when I attempt to pass expirationChecker into the configuration.

isxbot avatar Feb 27 '24 17:02 isxbot