From 154925714326a3ae64c2603f0dce6dc4fbcdf8b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nuno=20G=C3=B3is?= Date: Tue, 9 Sep 2025 12:36:44 +0100 Subject: [PATCH] chore: add verbose logs to AWS IAM auth logic, add DB access checker --- src/lib/db/aws-iam.ts | 7 ++++++- src/lib/db/db-access-checker.ts | 33 +++++++++++++++++++++++++++++++++ src/lib/db/db-pool.ts | 7 +++++++ src/lib/server-impl.ts | 5 +++++ 4 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 src/lib/db/db-access-checker.ts diff --git a/src/lib/db/aws-iam.ts b/src/lib/db/aws-iam.ts index 97c50f48bc..143c4d8ac0 100644 --- a/src/lib/db/aws-iam.ts +++ b/src/lib/db/aws-iam.ts @@ -16,7 +16,12 @@ export const getDBPasswordResolver = (db: IDBOption): PasswordResolver => { port: db.port, username: db.user, }); - return async () => signer.getAuthToken(); + return async () => { + console.log('[AWS RDS SIGNER] Getting token...'); + const token = await signer.getAuthToken(); + console.log(`[AWS RDS SIGNER] Got token: ${token}`); + return token; + }; } return async () => db.password; diff --git a/src/lib/db/db-access-checker.ts b/src/lib/db/db-access-checker.ts new file mode 100644 index 0000000000..ea4e094444 --- /dev/null +++ b/src/lib/db/db-access-checker.ts @@ -0,0 +1,33 @@ +import { Client } from 'pg'; +import type { IDBOption, Logger } from '../server-impl.js'; +import { getDBPassword } from './aws-iam.js'; + +export const dbAccessChecker = async (db: IDBOption, logger: Logger) => { + if (!db.awsIamAuth) return; + + logger.info( + 'Using AWS IAM authentication for database connection. Checking DB access...', + ); + + const password = await getDBPassword(db); + + const client = new Client({ + host: db.host, + port: db.port, + user: db.user, + database: db.database, + password, + statement_timeout: 10_000, + connectionTimeoutMillis: 10_000, + }); + try { + await client.connect(); + await client.query('SELECT 1'); + logger.info('DB auth/connection successful'); + } catch (e: any) { + const code = e?.code ?? 'unknown'; + throw new Error(`DB auth/connection failed (pg code: ${code})`); + } finally { + await client.end().catch(() => {}); + } +}; diff --git a/src/lib/db/db-pool.ts b/src/lib/db/db-pool.ts index 244a7c7fa8..f7d55af696 100644 --- a/src/lib/db/db-pool.ts +++ b/src/lib/db/db-pool.ts @@ -9,6 +9,13 @@ export function createDb({ getLogger, }: Pick): Knex { const logger = getLogger('db-pool.js'); + + if (db.awsIamAuth) { + logger.info( + `createDb: iam=${Boolean(db.awsIamAuth)} host=${db.host} port=${db.port} db=${db.database} user=${db.user} ssl=${Boolean(db.ssl)}`, + ); + } + return knex({ client: 'pg', version: db.version, diff --git a/src/lib/server-impl.ts b/src/lib/server-impl.ts index 78c6d261bc..54b4809086 100644 --- a/src/lib/server-impl.ts +++ b/src/lib/server-impl.ts @@ -186,6 +186,7 @@ import { UPDATE_REVISION } from './features/feature-toggle/configuration-revisio import type { IFeatureUsageInfo } from './services/version-service.js'; import { defineImpactMetrics } from './features/metrics/impact/define-impact-metrics.js'; import type { IClientInstance } from './types/stores/client-instance-store.js'; +import { dbAccessChecker } from './db/db-access-checker.js'; export async function initialServiceSetup( { authentication }: Pick, @@ -336,6 +337,10 @@ async function start( const config = createConfig(opts); const logger = config.getLogger('server-impl.js'); + if (config.db.awsIamAuth) { + await dbAccessChecker(config.db, logger); + } + try { if (config.db.disableMigration) { logger.info('DB migration: disabled');