Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support RDS IAM authentication #106

Closed
dudicoco opened this issue Oct 15, 2022 · 4 comments · May be fixed by #186
Closed

Support RDS IAM authentication #106

dudicoco opened this issue Oct 15, 2022 · 4 comments · May be fixed by #186
Labels
enhancement New feature or request

Comments

@dudicoco
Copy link

Hi,

It seems that currently RDS IAM authentication for mysql/postgresql users is not possible with the provider.

Here are the official docs: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html

For mysql it is necessary to set AWSAuthenticationPlugin when creating the user.

For postgresql the user must be granted the rds_iam role.

This possible with the Terraform providers:
https://registry.terraform.io/providers/bangau1/mysql/latest/docs/resources/user
https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/postgresql_grant_role
@dudicoco dudicoco added the enhancement New feature or request label Oct 15, 2022
@ntdt
Copy link

ntdt commented Feb 1, 2023

The rds_iam role could not be referenced because of the unauthorized charater _ in the metadata.name so impossible to grant the rds_iam membership to a new role.

apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Role
metadata:
  name: rds_iam
spec:
  forProvider:
    privileges:
      login: false
      inherit: true

will fail with error

Role.postgresql.sql.crossplane.io "rds_iam" is invalid: metadata.name: Invalid value: "rds_iam": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

@AdamRussak
Copy link

Hi,
I want to add the AWSAuthenticationPlugin to MySQL.

Would someone be able to point me to / guide me?
I'm good with GO but didn't contribute here yet :)

cten added a commit to fortra-cloudops-platform/provider-sql that referenced this issue Jun 18, 2024
@cten
fix crossplane-contrib#106 add ability to set auth_plugin for mysql u…
b582eb9 
…sers
cten added a commit to fortra-cloudops-platform/provider-sql that referenced this issue Jun 18, 2024
@cten
fix crossplane-contrib#106 add ability to set auth_plugin for mysql u…
14be4ff 
…sers
Open
2 tasks
cten added a commit to fortra-cloudops-platform/provider-sql that referenced this issue Jul 1, 2024
@cten
fix crossplane-contrib#106 add ability to set auth_plugin for mysql u…
f7a1d0e 
…sers
cten added a commit to fortra-cloudops-platform/provider-sql that referenced this issue Jul 1, 2024
@cten
fix crossplane-contrib#106 add ability to set auth_plugin for mysql u…
8004d67 
…sers

Signed-off-by: cten <[email protected]>
@tenitski
Copy link

This works for RDS IAM auth:

apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: default
spec:
  defaultDatabase: example
  sslMode: require
  credentials:
    source: PostgreSQLConnectionSecret
    connectionSecretRef:
      namespace: default
      name: example-secret
---
apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Role
metadata:
  name: examplerole
  annotations:
    crossplane.io/external-name: "you_can_also_have_underscores_in_role_name"
spec:
  forProvider:
    privileges:
      login: true
---
apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Grant
metadata:
  name: mainrole
spec:
  forProvider:
    memberOf: exampleuser
    roleRef:
      name: examplerole
---
apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Grant
metadata:
  name: iamrole
spec:
  forProvider:
    memberOf: rds_iam
    roleRef:
      name: examplerole

@Duologic
Copy link
Member

Considering the last answer, it seems that this is solved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support RDS IAM authentication for MySQL fortra-cloudops-platform/provider-sql
5 participants
@ntdt @tenitski @Duologic @AdamRussak @dudicoco