apache/airflow
Voir sur GitHubAllow backend DB to authenticate using temporary tokens
Open
#30 368 ouverte le 30 mars 2023
area:coregood first issuekind:feature
Métriques du dépôt
- Stars
- (44 809 stars)
- Métriques de merge PR
- (Merge moyen 7j 18h) (834 PRs mergées en 30 j)
Description
Description
Based on this discussion. Currrently there is no way to use token identity to authenticate with amazon RDS without a fairly significant change to the helm charts and airflow code.
I will implement this functionality and add the helm options as:
externalDatabase:
type: postgres
host: airflow-cluster.<uniqueId>.us-east-1.rds.amazonaws.com
## the port of the external database
##
port: 5432
## the database/scheme to use within the external database
##
database: airflow
## the username for the external database
##
user: airflow
awsRdsTokenIdentity:
enabled: true
region: us-east-1
connectionExpirySeconds: 600
And use sqlalchemy envents to provide the token.
def amend_connection(cparams):
if conf.getboolean("database", "use_aws_token_identity"):
log.info(f'connecting user {cparams["user"]} to {cparams["host"]}:{cparams["host"]} using pod identity')
client = boto3.client(
"rds",
region_name=conf.get_mandatory_value("database", "aws_region"),
)
token = client.generate_db_auth_token(
DBHostname=cparams["host"],
Port=cparams["port"],
DBUsername=cparams["user"],
)
cparams["password"] = token
else:
log.info(f'connecting {cparams["user"]} using user/password')
@event.listens_for(engine, "do_connect")
def provide_token(dialect, conn_rec, cargs, cparams):
amend_connection(cparams)
Use case/motivation
Temporary credentials are a security feature generally required secops and a general good practice these days, so it makes sense for me to support them.
Related issues
No response
Are you willing to submit a PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct