chore: add verbose logs to AWS IAM auth logic, add DB access checker

2025-09-24 17:51:14 +02:00 · 2025-09-09 12:36:44 +01:00 · 2025-09-09 12:36:44 +01:00 · 1549257143
commit 1549257143
parent 2cd8135988
4 changed files with 51 additions and 1 deletions
--- a/src/lib/db/aws-iam.ts
+++ b/src/lib/db/aws-iam.ts
@ -16,7 +16,12 @@ export const getDBPasswordResolver = (db: IDBOption): PasswordResolver => {
            port: db.port,
            username: db.user,
        });
-        return async () => signer.getAuthToken();
+        return async () => {
+            console.log('[AWS RDS SIGNER] Getting token...');
+            const token = await signer.getAuthToken();
+            console.log(`[AWS RDS SIGNER] Got token: ${token}`);
+            return token;
+        };
    }

    return async () => db.password;
--- a/src/lib/db/db-access-checker.ts
+++ b/src/lib/db/db-access-checker.ts
@ -0,0 +1,33 @@
+import { Client } from 'pg';
+import type { IDBOption, Logger } from '../server-impl.js';
+import { getDBPassword } from './aws-iam.js';
+
+export const dbAccessChecker = async (db: IDBOption, logger: Logger) => {
+    if (!db.awsIamAuth) return;
+
+    logger.info(
+        'Using AWS IAM authentication for database connection. Checking DB access...',
+    );
+
+    const password = await getDBPassword(db);
+
+    const client = new Client({
+        host: db.host,
+        port: db.port,
+        user: db.user,
+        database: db.database,
+        password,
+        statement_timeout: 10_000,
+        connectionTimeoutMillis: 10_000,
+    });
+    try {
+        await client.connect();
+        await client.query('SELECT 1');
+        logger.info('DB auth/connection successful');
+    } catch (e: any) {
+        const code = e?.code ?? 'unknown';
+        throw new Error(`DB auth/connection failed (pg code: ${code})`);
+    } finally {
+        await client.end().catch(() => {});
+    }
+};
--- a/src/lib/db/db-pool.ts
+++ b/src/lib/db/db-pool.ts
@ -9,6 +9,13 @@ export function createDb({
    getLogger,
 }: Pick<IUnleashConfig, 'db' | 'getLogger'>): Knex {
    const logger = getLogger('db-pool.js');
+
+    if (db.awsIamAuth) {
+        logger.info(
+            `createDb: iam=${Boolean(db.awsIamAuth)} host=${db.host} port=${db.port} db=${db.database} user=${db.user} ssl=${Boolean(db.ssl)}`,
+        );
+    }
+
    return knex({
        client: 'pg',
        version: db.version,
--- a/src/lib/server-impl.ts
+++ b/src/lib/server-impl.ts
@ -186,6 +186,7 @@ import { UPDATE_REVISION } from './features/feature-toggle/configuration-revisio
 import type { IFeatureUsageInfo } from './services/version-service.js';
 import { defineImpactMetrics } from './features/metrics/impact/define-impact-metrics.js';
 import type { IClientInstance } from './types/stores/client-instance-store.js';
+import { dbAccessChecker } from './db/db-access-checker.js';

 export async function initialServiceSetup(
    { authentication }: Pick<IUnleashConfig, 'authentication'>,
@ -336,6 +337,10 @@ async function start(
    const config = createConfig(opts);
    const logger = config.getLogger('server-impl.js');

+    if (config.db.awsIamAuth) {
+        await dbAccessChecker(config.db, logger);
+    }
+
    try {
        if (config.db.disableMigration) {
            logger.info('DB migration: disabled');