Skip to content

Add support for DSQL iam authentication #919

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

Add support for DSQL iam authentication #919

wants to merge 16 commits into from

Conversation

leszek-bq
Copy link
Contributor

Summary

Add support for DSQL iam authentication

Description

  • Created token_utils base class and specific implementation of token generation code for DSQL
  • Moved the token generation code from the /utils/iam_utils.py to rds specific token_utils implementation
  • Added a parameter to IamAuthPlugin constructor for the new token_utils and updated the corresponding IamAuthPluginFactory
  • Created a new DsqlIamAuthPluginFactory
  • Added example docs/examples/DSQLIamAuthentication.py

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

danielfrankcom
danielfrankcom reviewed Jul 17, 2025
View reviewed changes
@leszek-bq leszek-bq changed the title WIP Add support for DSQL iam authentication Add support for DSQL iam authentication Jul 22, 2025
danielfrankcom
danielfrankcom previously requested changes Jul 22, 2025
View reviewed changes
aaron-congo
aaron-congo reviewed Jul 22, 2025
View reviewed changes
docs/using-the-python-driver/using-plugins/UsingTheDSQLIamAuthenticationPlugin.md

## Prerequisites
> [!WARNING]\
> To preserve compatibility with customers using the community driver, IAM Authentication requires the AWS SDK for Python; [Boto3](https://pypi.org/project/boto3/). Boto3 is a runtime dependency and must be resolved. It can be installed via pip like so: `pip install boto3`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
> To preserve compatibility with customers using the community driver, IAM Authentication requires the AWS SDK for Python; [Boto3](https://pypi.org/project/boto3/). Boto3 is a runtime dependency and must be resolved. It can be installed via pip like so: `pip install boto3`.
> To preserve compatibility with customers using the community driver, IAM Authentication requires the AWS SDK for Python, [Boto3](https://pypi.org/project/boto3/). Boto3 is a runtime dependency and must be resolved. It can be installed via pip like so: `pip install boto3`.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently this is the same in the related file:

docs/using-the-python-driver/using-plugins/UsingTheIamAuthenticationPlugin.md

I wonder if the ';' should be changed to ':' rather than ','. It looks like we're not listing several things in this sentence but rather specifying the name of the AWS SDK for Python.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I think ':' or ',' would make more sense

tests/unit/test_iam_dsql_plugin.py Outdated

actual_token = _token_cache.get(f"{_PG_REGION}:{_PG_HOST_INFO.url}:1234:admin")
assert _GENERATED_TOKEN == actual_token.token
assert actual_token.is_expired() is False
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, same suggestion for the other lines with this pattern in the file:

Suggested change
assert actual_token.is_expired() is False
assert not actual_token.is_expired()

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated all the occurrences.

faviansamatha
faviansamatha reviewed Jul 22, 2025
View reviewed changes
aws_advanced_python_wrapper/utils/rds_token_utils.py Outdated

client.close()

logger.debug("IamAuthUtils.GeneratedNewAuthToken", token)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same with this, we should remove it. Ik it was here before but not a good idea to display it as it's part of the credentials.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed to

logger.debug("TokenUtils.GeneratedNewAuthTokenLength", len(token) if token else 0)

@leszek-bq
Copy link
Contributor Author

Update to e1503c9 rebases to include the #920

@danielfrankcom danielfrankcom dismissed their stale review July 24, 2025 18:44

Comments have been addressed

aaron-congo
aaron-congo reviewed Jul 29, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wcmjunior wcmjunior wcmjunior left review comments

@imforster imforster imforster left review comments

@karenc-bq karenc-bq karenc-bq left review comments

@faviansamatha faviansamatha faviansamatha approved these changes

@aaron-congo aaron-congo aaron-congo approved these changes

@danielfrankcom danielfrankcom danielfrankcom left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@leszek-bq @wcmjunior @danielfrankcom @imforster @faviansamatha @karenc-bq @aaron-congo @leszekamz