apache/airflow
Vedi su GitHubAllow backend DB to authenticate using temporary tokens
Open
#30.368 aperta il 30 mar 2023
area:coregood first issuekind:feature
Metriche repository
- Star
- (44.809 star)
- Metriche merge PR
- (Merge medio 7g 18h) (834 PR mergiate in 30 g)
Descrizione
Description
Based on this discussion. Currrently there is no way to use token identity to authenticate with amazon RDS without a fairly significant change to the helm charts and airflow code.
I will implement this functionality and add the helm options as:
externalDatabase:
type: postgres
host: airflow-cluster.<uniqueId>.us-east-1.rds.amazonaws.com
## the port of the external database
##
port: 5432
## the database/scheme to use within the external database
##
database: airflow
## the username for the external database
##
user: airflow
awsRdsTokenIdentity:
enabled: true
region: us-east-1
connectionExpirySeconds: 600
And use sqlalchemy envents to provide the token.
def amend_connection(cparams):
if conf.getboolean("database", "use_aws_token_identity"):
log.info(f'connecting user {cparams["user"]} to {cparams["host"]}:{cparams["host"]} using pod identity')
client = boto3.client(
"rds",
region_name=conf.get_mandatory_value("database", "aws_region"),
)
token = client.generate_db_auth_token(
DBHostname=cparams["host"],
Port=cparams["port"],
DBUsername=cparams["user"],
)
cparams["password"] = token
else:
log.info(f'connecting {cparams["user"]} using user/password')
@event.listens_for(engine, "do_connect")
def provide_token(dialect, conn_rec, cargs, cparams):
amend_connection(cparams)
Use case/motivation
Temporary credentials are a security feature generally required secops and a general good practice these days, so it makes sense for me to support them.
Related issues
No response
Are you willing to submit a PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct