-
-
Notifications
You must be signed in to change notification settings - Fork 613
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS.RDS.signer + Connection pooling ? #1017
Comments
You can change the order and generate token at the time auth switch request is handled, something like this: const createPool = () =>
mysql.createPool({
host: '...',
port: '...',
user: '...',
database: '...',
password: token,
ssl: 'Amazon RDS',
authSwitchHandler: (data, cb) => {
if (data.pluginName === 'mysql_clear_password') {
signer.getAuthToken(
{
region: '...',
hostname: '...',
port: '...',
username: '...'
},
(err, token) => {
if (err) {
cb(err);
} else {
cb(null, Buffer.from(token + '\0'));
}
}
);
} else {
cb(new Error(`Authentication method ${data.pluginName} is not supported`));
}
}
}); Note that I'm going to deprecate future api will look like this (not released yet, just heads up: ) const pool = mysql.createPool({
host: '...',
port: '...',
user: '...',
database: '...',
password: token,
ssl: 'Amazon RDS',
authPlugins: {
mysql_clear_password: () => () =>
signer
.getAuthToken({
region: '...',
hostname: '...',
port: '...',
username: '...'
})
.promise()
}
}); |
Thanks for the super fast response, and thanks for the extremely helpful advice! That is exactly what I am looking for. Much appreciated. |
Need a bit of cleanup in my code, I left |
Yes, you are right -- it works like a charm. (Once the password property is removed.) Thanks again, this is very helpful! |
Why doesn't it work for me?
I'm using the code shared above:
|
@sidorares Do you have an updated version of the authPlugins code? I tried what you shared above, but it didn't work. authSwitchHandler is deprecated, so I want to avoid using that. |
@awcchungster can you add logging and check if auth plugin is called at all? Also maybe try with regular connection, not sure if we pass const pool = mysql.createConnection({
host: '...',
port: '...',
user: '...',
database: '...',
password: token,
ssl: 'Amazon RDS',
authPlugins: {
mysql_clear_password: () => {
console.log('mysql_clear_password plugin init');
return () => {
console.log('mysql_clear_password plugin get data');
return signer
.getAuthToken({
region: '...',
hostname: '...',
port: '...',
username: '...'
})
.promise()
}
}
}
}); |
I'm using a pool config (createPool). When I run that code, I get this error. The connection was never successful.
|
@awcchungster what's your version of aws-sdk? |
I'm on 2.678.0. It's working with your older code format, but shows the deprecation warning.
|
Probably version you have does not return promise wrapper with const pool = mysql.createConnection({
host: '...',
port: '...',
user: '...',
database: '...',
password: token,
ssl: 'Amazon RDS',
authPlugins: {
mysql_clear_password: () => {
console.log('mysql_clear_password plugin init');
return () => {
console.log('mysql_clear_password plugin get data');
return new Promise((accept, reject) => {
signer.getAuthToken({
region: '...',
hostname: '...',
port: '...',
username: '...'
}, (err, token) => {
if (err) return reject(err)
return accept(token)
})
})
}
}
}
}); |
Thanks for your help btw. Both of the print lines now show up successfully.
However, I received a slightly different error:
|
@awcchungster your example is different from my example above. Plugin signature should be |
That worked! Thanks. I really appreciate it. It would be great to have this in documentation. For my own learning, how does |
|
I am wondering if you have any suggestions for the following situation:
I would like to use AWS.RDS.signer to generate password tokens for use in a connection pool. I have put together something like the following...
...and it works great -- but only for 15 minutes, and then the AWS token expires. At that point new connections cannot be established in the pool.
Is there any way to update the pool config options after the pool has been created, so I can keep the token fresh? Would you perhaps consider letting a function be passed as the password property, so that it can return a dynamic value at the time a connection is created? Otherwise, it really isn't practical to use the aws signer with connection pooling, as I understand it.
The text was updated successfully, but these errors were encountered: