Hi folks, we are planning to use temporal with postgreSQL in AWS RDS, however we would like to know if it will be possible for temporal to use IAM authentication rather than regular (user+password) by implementing some sort of hook (plugin) for authentication?
4 Likes
Hi! We are running in the same problem and looking for a way to resolve a IAM token to use it as password.
Did anyone find a solution for this?
is this for the temporal web/ui? or for the temporal server to worker communication??
Hey, this is for temporal-server to database communication.
In our case the database is a aws aurora postgres and we want to enable the iam token authentication.
Our security policy forbids using username/password configurations.
i see. thanks for clarification…Sorry iam not aware of how to get this done…
Basically what we would need is to extract the database authentication as a plugin, keeping the existing user/password mechanism as default.
In that way we could basically write a function to plug the new authentication mechanism, which will use the AWS SDK to generate a token as the password.
In the case of AWS RDS IAM Authentication, is also crucial to refresh the connection pool with a new token every ~15min.
Yes, a plugin mechanism would be great!
I saw this PR Add RDS IAM auth plugin for SQL drivers by gnz00 · Pull Request #2830 · temporalio/temporal · GitHub but the issue there was that the connection pool didn’t refresh as I understood from Temporal servers crashes once the aws token session is expired · Issue #3077 · temporalio/temporal · GitHub
Is it a correct understanding that temporal currently doesn’t support IAM based authentication RDS?
If so, any suggested work around if IAM based auth is required for security requirements?
You are correct, there was a community contribution for it but unfortunately was not added to a released due to found issues. See more info here.
Is there any plan to add this feature?