Initial pass adding AWS IAM Authentication #1263

matt-domsch-sp · matt-domsch-sp · commit 6e09c67db4e8 · 2024-11-10T19:59:11.000-05:00
This adds AWS IAM authentication as a replacement for defining a password in the configuration. When the configuration option :use_iam_credentials = true, an authentication token (password) will be fetched from IAM and cached for the next 14 minutes (tokens expire in 15 minutes). These can then be reused by all new connections until it expires, at which point a new token will be fetched when next needed. To allow for multiple Mysql2::Client configurations to multiple servers, the cache is keyed by database username, host name, port, and region. Two new configuration options are necessary: - :use_iam_credentials = true - :host_region is a string region name, e.g. 'us-east-1'. If not set, ENV['AWS_REGION'] will be used. If this is not present, authenticaiton will fail. As prerequisites, you must enable IAM authentication on the RDS instance, create an IAM policy, attach the policy to the target IAM user or role, create the database user set to use the AWS Authentication Plugin, and then run your ruby code using that user or role. See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html for details on these steps.
diff --git a/README.md b/README.md
@@ -284,8 +284,10 @@ Mysql2::Client.new(
   :get_server_public_key = true/false,
   :default_file = '/path/to/my.cfg',
   :default_group = 'my.cfg section',
-  :default_auth = 'authentication_windows_client'
-  :init_command => sql
+  :default_auth = 'authentication_windows_client',
+  :init_command => sql,
+  :use_iam_authentication => true/false,
+  :host_region,
   )
 ```
 
@@ -348,6 +350,30 @@ When secure_auth is enabled, the server will refuse a connection if the account
 The MySQL 5.6.5 client library may also refuse to attempt a connection if provided an older format password.
 To bypass this restriction in the client, pass the option `:secure_auth => false` to Mysql2::Client.new().
 
+### AWS IAM Authentication
+
+You may use AWS IAM Authentication instead of setting a password in
+the configuration.  A temporary token used in place of the password
+will be fetched as necessary and used for connections until it
+expires.  The value for :host_region will either use the one provided,
+or if not provided, the environment variable AWS_REGION.
+
+| `:use_iam_authentication` | true                                 |
+| ---                       | ---                                  |
+| `:username`               | The database username configured to use IAM Authentication |
+| `:host`                   | The database host |
+| `:port`                   | The database port |
+| `:host_region`            | An AWS region name, e.g. `us-east-1` |
+
+As prerequisites, you must enable IAM authentication on the RDS
+instance, create an IAM policy, attach the policy to the target IAM
+user or role, create the database user set to use the AWS
+Authentication Plugin, and then run your ruby code using that IAM user or
+role.  See
+[AWS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html)
+for details on these steps.
+
+
 ### Flags option parsing
 
 The `:flags` parameter accepts an integer, a string, or an array. The integer
diff --git a/lib/mysql2/aws_iam_auth.rb b/lib/mysql2/aws_iam_auth.rb
@@ -0,0 +1,60 @@
+require 'singleton'
+require 'aws-sdk-rds'
+
+module Mysql2
+  class AwsTokenAuth
+    include Singleton
+
+    # Tokens are valid for up to 15 minutes.
+    # We will assume ours expire in 14 minutes to be safe.
+    TOKEN_EXPIRES_IN = (60*14) # 14 minutes
+
+    def initialize
+      @mutex = Mutex.new
+      # Key identifies a unique set of authentication parameters
+      # Value is a Hash
+      # :password is the token value
+      # :expires_at is (just before) the token was generated plus 14 minutes
+      @passwords = {}
+      @generator = Aws::RDS::AuthTokenGenerator.new
+    end
+
+    def password(user, host port, opts)
+      params = to_params(user, host, port, opts)
+      key = key_from_params(params)
+      passwd = nil
+      AwsTokenAuth.instance.mutex.synchronize do
+        begin
+          if @passwords[key][:password] && Time.now.utc < @passwords[key][:expires_at]
+            passwd = @passwords[key][:password]
+          end
+        rescue KeyError
+        end
+      end
+      if passwd return passwd
+
+      AwsTokenAuth.instance.mutex.synchronize do
+        @passwords[key] = {}
+        @passwords[key][:expires_at] = Time.now.utc + TOKEN_EXPIRES_IN
+        @passwords[key][:password] = password_from_iam(params)
+      end
+    end
+
+    def password_from_iam(params)
+      @generator.auth_token(params)
+    end
+
+    def to_params(user, host, port, opts)
+      params = {}
+      params[:region] = opts[:host_region] || ENV['AWS_REGION']
+      params[:endpoint] = "#{host}:#{port}"
+      params[:user_name] = user
+      params
+    end
+
+    def key_from_params(params)
+      return "#{params[:user_name]}/#{params[:endpoint]}/#{params[:region]}"
+    end
+
+  end
+end
diff --git a/lib/mysql2/client.rb b/lib/mysql2/client.rb
@@ -94,6 +94,11 @@ def initialize(opts = {})
       socket = socket.to_s unless socket.nil?
       conn_attrs = parse_connect_attrs(opts[:connect_attrs])
 
+      if opts[:use_iam_authentication]
+        aws = Mysql2::AwsTokenAuth.new
+        pass = aws.password(user, host, port, opts)
+      end
+
       connect user, pass, host, port, database, socket, flags, conn_attrs
     end
 
diff --git a/mysql2.gemspec b/mysql2.gemspec
@@ -24,4 +24,5 @@ Mysql2::GEMSPEC = Gem::Specification.new do |s|
   s.metadata['msys2_mingw_dependencies'] = 'libmariadbclient'
 
   s.add_runtime_dependency 'bigdecimal'
+  s.add_runtime_dependency 'aws-sdk-rds'
 end
