apache/airflow
Ver no GitHubAllow backend DB to authenticate using temporary tokens
Open
#30.368 aberto em 30 de mar. de 2023
area:coregood first issuekind:feature
Métricas do repositório
- Stars
- (44.809 stars)
- Métricas de merge de PR
- (Mesclagem média 7d 18h) (834 fundiu PRs em 30d)
Description
Description
Based on this discussion. Currrently there is no way to use token identity to authenticate with amazon RDS without a fairly significant change to the helm charts and airflow code.
I will implement this functionality and add the helm options as:
externalDatabase:
type: postgres
host: airflow-cluster.<uniqueId>.us-east-1.rds.amazonaws.com
## the port of the external database
##
port: 5432
## the database/scheme to use within the external database
##
database: airflow
## the username for the external database
##
user: airflow
awsRdsTokenIdentity:
enabled: true
region: us-east-1
connectionExpirySeconds: 600
And use sqlalchemy envents to provide the token.
def amend_connection(cparams):
if conf.getboolean("database", "use_aws_token_identity"):
log.info(f'connecting user {cparams["user"]} to {cparams["host"]}:{cparams["host"]} using pod identity')
client = boto3.client(
"rds",
region_name=conf.get_mandatory_value("database", "aws_region"),
)
token = client.generate_db_auth_token(
DBHostname=cparams["host"],
Port=cparams["port"],
DBUsername=cparams["user"],
)
cparams["password"] = token
else:
log.info(f'connecting {cparams["user"]} using user/password')
@event.listens_for(engine, "do_connect")
def provide_token(dialect, conn_rec, cargs, cparams):
amend_connection(cparams)
Use case/motivation
Temporary credentials are a security feature generally required secops and a general good practice these days, so it makes sense for me to support them.
Related issues
No response
Are you willing to submit a PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct