Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dynamic database credentials with RDS IAM DB authentication #1789

Open
tokyowizard opened this issue Jul 7, 2023 · 9 comments
Open

Dynamic database credentials with RDS IAM DB authentication #1789

tokyowizard opened this issue Jul 7, 2023 · 9 comments
Assignees
Labels
issue: docs/instructions Issues about incorrect instructions found on docs.strapi.io severity: low If the issue only affects a very niche base of users and an easily implemented workaround can solve

Comments

@tokyowizard
Copy link

Bug report

Required System information

  • Node.js version: v16
  • NPM version: 8.5.0
  • Strapi version: 4.2.2
  • Database: PostgreSQL
  • Operating system: Alpine
  • Is your project Javascript or Typescript: Typescript

Describe the bug

Could Strapi include exposing the expirationChecker function in the database connection configuration?

We have an Amazon RDS for PostgreSQL instance for our Strapi database.
We would like to use IAM database authentication for PostgreSQL, where we can generate a password token that is good for 15 minutes to login to the database, instead using a fixed password.
Strapi is using Knex to connect to the database.
Knex has implemented an expirationChecker function to check if the token has expired. See also expirationChecker in the connection config: [1] [2]

Steps to reproduce the behavior

  1. Be able to include expirationChecker in the connection parameters (or some setting) to be able to generate AWS IAM DB tokens to connect to the database.

Expected behavior

Be able to use AWS IAM DB authentication to generate a password token to update the password before connection.

Screenshots

N/A

Code snippets

N/A

Additional context

N/A

@Boegie19
Copy link
Contributor

Boegie19 commented Jul 8, 2023

If I am correct the data inside the strapi db config is given directly to knex.

Aka this should already be posible but not documented

I am not sure since I did not test this.

@joshuaellis joshuaellis added issue: bug severity: low If the issue only affects a very niche base of users and an easily implemented workaround can solve status: pending reproduction Waiting for free time to reproduce the issue, or more information labels Jul 12, 2023
@tokyowizard
Copy link
Author

Thank you for the reply! Yes, it's working with IAM DB auth. 👍

@Boegie19
Copy link
Contributor

Ticket needs to be moved to documentation since we should improve the documentation on this.

@Boegie19 Boegie19 reopened this Jul 14, 2023
@joshuaellis
Copy link
Contributor

Ticket needs to be moved to documentation since we should improve the documentation on this.

I can move it, can you explain in a couple of sentences what documentation improvements you're expecting please?

@Boegie19
Copy link
Contributor

We need to document better that we give everything given to the database file is given to knex. and link to knex its documentation for it.
so that it is more clear what people that they can use all knex fetures

@joshuaellis joshuaellis transferred this issue from strapi/strapi Jul 14, 2023
@joshuaellis joshuaellis added issue: doc request Issues that require adding new content, possibly with some prior research and removed status: pending reproduction Waiting for free time to reproduce the issue, or more information issue: bug labels Jul 14, 2023
@evan-thinksync
Copy link

@tokyowizard Hello! I'm hoping for some help here please! I'm trying to implement the same approach using aws iam database auth for postgresql but it looks like knex requires a function as the database connection config in order to use the custom expirationChecker function. When I use a function for the strapi database connection config, I get an error on startup TypeError: Cannot read properties of undefined (reading 'schema') from this code block

How exactly were you able to get the expirationChecker behavior working? If possible, can you please include an example of the database connection config?

Thanks

@Boegie19
Copy link
Contributor

Boegie19 commented Oct 2, 2023

@evan-thinksync TS config for this one is wrong. if you ignore the TS warning it should work.

@evan-thinksync
Copy link

evan-thinksync commented Oct 3, 2023

@Boegie19 I'm new to js/ts, how would I ignore the TS warning inside of the strapi/database/lib/connection.js file?
return Object.assign(knexInstance, { getSchemaName() { return this.client.connectionSettings.schema; }, }); connectionSettings is undefined here when using a function for strapi's database.connection.connection config

@pwizla pwizla added issue: docs/instructions Issues about incorrect instructions found on docs.strapi.io and removed issue: doc request Issues that require adding new content, possibly with some prior research labels Oct 18, 2023
@pwizla pwizla self-assigned this Oct 18, 2023
@isxbot
Copy link

isxbot commented Feb 27, 2024

+1 for this documentation. I'm able to authenticate Strapi to the database with an IAM token, but content manager is inaccessible after the token expires. I get the same error as @evan-thinksync when I attempt to pass expirationChecker into the configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
issue: docs/instructions Issues about incorrect instructions found on docs.strapi.io severity: low If the issue only affects a very niche base of users and an easily implemented workaround can solve
Projects
None yet
Development

No branches or pull requests

7 participants