chore: add IAM db auth support

2025-09-24 17:51:14 +02:00 · 2025-09-03 12:43:43 +01:00 · 2025-09-03 12:43:43 +01:00 · 5af7728db9
commit 5af7728db9
parent fb40bb07c4
5 changed files with 1125 additions and 7 deletions
--- a/package.json
+++ b/package.json
@ -68,6 +68,7 @@
    "schema:update": "node ./.husky/update-openapi-spec-list.js"
  },
  "dependencies": {
+    "@aws-sdk/rds-signer": "^3.880.0",
    "@slack/web-api": "^7.9.1",
    "@wesleytodd/openapi": "^1.1.0",
    "ajv": "^8.17.1",
--- a/src/lib/create-config.ts
+++ b/src/lib/create-config.ts
@ -266,6 +266,8 @@ const defaultDbOptions: WithOptional<IDBOption, 'user' | 'password' | 'host'> =
            false,
        ),
        applicationName: process.env.DATABASE_APPLICATION_NAME || 'unleash',
+        awsIamAuth: parseEnvVarBoolean(process.env.DATABASE_AWS_IAM, false),
+        awsRegion: process.env.AWS_REGION,
    };

 const defaultSessionOption = (isEnterprise: boolean): ISessionOption => ({
--- a/src/lib/db/db-pool.ts
+++ b/src/lib/db/db-pool.ts
@ -3,19 +3,61 @@ import knexpkg from 'knex';
 const { knex } = knexpkg;
 import type { IUnleashConfig } from '../types/option.js';

+import { Signer } from '@aws-sdk/rds-signer';
+
 export function createDb({
    db,
    getLogger,
 }: Pick<IUnleashConfig, 'db' | 'getLogger'>): Knex {
    const logger = getLogger('db-pool.js');
+
+    const {
+        host,
+        port,
+        user,
+        database,
+        ssl,
+        applicationName,
+        password,
+        awsIamAuth,
+        awsRegion,
+        pool,
+    } = db;
+
+    let resolvedPassword: string | (() => Promise<string>) | undefined =
+        password;
+
+    if (awsIamAuth) {
+        if (!awsRegion) {
+            throw new Error(
+                'AWS_REGION is required when DATABASE_AWS_IAM=true',
+            );
+        }
+        const signer = new Signer({
+            region: awsRegion,
+            hostname: host,
+            port: Number(port ?? 5432),
+            username: user,
+        });
+
+        resolvedPassword = async () => signer.getAuthToken();
+    }
+
+    const connection = {
+        host,
+        port,
+        user,
+        database,
+        ssl,
+        application_name: applicationName,
+        password: resolvedPassword,
+    };
+
    return knex({
        client: 'pg',
        version: db.version,
-        connection: {
-            ...db,
-            application_name: db.applicationName,
-        },
-        pool: db.pool,
+        connection,
+        pool,
        searchPath: db.schema,
        asyncStackTraces: true,
        log: {
--- a/src/lib/types/option.ts
+++ b/src/lib/types/option.ts
@ -20,7 +20,7 @@ export interface ISSLOption {

 export interface IDBOption {
    user: string;
-    password: string;
+    password?: string;
    host: string;
    port: number;
    database: string;
@ -38,6 +38,8 @@ export interface IDBOption {
    schema: string;
    disableMigration: boolean;
    applicationName?: string;
+    awsIamAuth?: boolean;
+    awsRegion?: string;
 }

 export interface ISessionOption {
--- a/yarn.lock
+++ b/yarn.lock