PG::AWS_RDS_IAM
is a plugin for the pg
gem that adds support for IAM authentication when connecting to PostgreSQL databases hosted in Amazon RDS.
IAM authentication allows your application to connect to the database using secure, short-lived authentication tokens instead of a fixed password. This gives you greater security and eliminates the operational overhead of rotating passwords.
Install manually:
$ gem install pg-aws_rds_iam
or with Bundler:
$ bundle add pg-aws_rds_iam
To use IAM authentication for your database connections, you need to
- enable IAM authentication for your database,
- provide your application with IAM credentials, and
- configure your application to generate authentication tokens.
Start by configuring your database to allow IAM authentication using either the AWS console or the aws
CLI.
This doesn't require downtime so is safe to apply immediately, unless you already have pending modifications that require a database reboot.
Next, grant your database user the rds_iam
role.
The most secure way to grant your application permission to connect to your database is to use an IAM role.
Start by creating a service role if your application doesn't already have one.
Then, create an IAM policy granting the rds-db:connect
permission and attach it to the role.
If you've created a new service role, you'll need to associate it with your application. The way to do this depends on where you are running your application:
- for EC2 instances, set up an instance profile;
- for EKS pods, associate the IAM role with a Kubernetes service account;
- for ECS tasks, configure a task role; or
- for Lambda functions, set the execution role.
If you can't use a service role, then you can grant the permissions to an IAM user instead and supply the application with their access key through a configuration profile or via the AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
environment variables.
However, you won't get the full security and operational benefits of RDS IAM authentication, because the access key is a long-lived secret that you need to supply to the application securely and rotate periodically.
You can use PG::AWS_RDS_IAM
's default authentication token generator if you are using a service role as described above, or if you configure your application using the standard AWS ways to provide credentials and region.
To use the default authentication token generator, set the aws_rds_iam_auth_token_generator
connection parameter to default
.
You can set this parameter in
-
the query string of a connection URI:
postgresql://andrew@postgresql.example.com:5432/blog?aws_rds_iam_auth_token_generator=default
-
a
key=value
pair in a connection string:user=andrew host=postgresql.example.com port=5432 dbname=blog aws_rds_iam_auth_token_generator=default
-
a
key: value
pair in a connection hash:PG.connect( user: "andrew", host: "postgresql.example.com", port: 5432, dbname: "blog", aws_rds_iam_auth_token_generator: "default" )
-
database.yml
, if you're using Rails:production: adapter: postgresql username: andrew host: postgresql.example.com port: 5432 database: blog aws_rds_iam_auth_token_generator: default
If the default authentication token generator doesn't meet your needs, you can register an alternative with
PG::AWS_RDS_IAM.auth_token_generators.add :custom do
PG::AWS_RDS_IAM::AuthTokenGenerator.new(credentials: "...", region: "...")
end
To use this alternative authentication token generator, set the aws_rds_iam_auth_token_generator
connection parameter to the name you registered it with (custom
, in this example).
The block you give to add
must construct and return the authentication token generator, which can either be an instance of PG::AWS_RDS_IAM::AuthTokenGenerator
or another object that returns a string token in response to call(host:, port:, user:)
.
The block will be called once, when the first token is generated, and the returned authentication token generator will be re-used to generate all future tokens.
After checking out the repo, run bin/setup
to install dependencies.
Then, run bin/rake
to run the tests.
You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bin/rake install
.
To release a new version, update the version number in version.rb
, and then run bin/rake release
, which will create a git tag for the version, push git commits and tags, and push the .gem
file to rubygems.org.
Bug reports and pull requests are welcome on GitHub. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.
The gem is available as open source under the terms of the MIT License.