-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cloud iam auth #13
base: main
Are you sure you want to change the base?
Cloud iam auth #13
Conversation
|
||
### [go-cloud](https://github.com/google/go-cloud) | ||
|
||
Provides [IAM auth for GCP Cloud SQL](https://github.com/google/go-cloud/blob/master/postgres/gcppostgres/gcppostgres_test.go#L54), but not [AWS RDS](https://github.com/google/go-cloud/issues/3069). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
go-cloud does support AWS RDS. This issue is outdated and has since been closed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There some support for RDS, but it is not complete (see my other comment), final comment on the issue also implied that they did not intend to add the IAM auth
|
||
## Implementation | ||
|
||
Authentication would need to be implemented for both databases supported by openFGA: postgres and mysql. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a maintainer team we're worried about introducing these cloud specific database connection functionalities in OpenFGA, because it will be cumbersome to manage. Depending on more of a community driven and community based standard for this functionality would be preferable as it allows our maintainer team to leverage a larger community to help evolve and maintain these cloud IAM mechanisms.
For this reason, we'd like to see an exploration of the go-cloud
CDK (mentioned in the Prior Art section below) before we proceed forward. Specifically,
-
Are there features/functionalities that the Go Cloud CDK does not address that are pertinent to the usage patterns for these proprietary cloud IAM protocols? If so, what are the limitations? For example, can you use the assumed role functionality of AWS IAM etc..
-
Does the usage of the cloud specific sql providers in the Go Cloud CDK necessitate a specific underlying driver (e.g. pgx, pql, etc..)? Or can you bring your own driver?
From the looks of it you can use whatever underlying driver you want (see https://github.com/google/go-cloud/blob/master/samples/guestbook/wire_gen.go#L16C34-L16C34 as an example). But this needs to be confirmed.
If you'd be willing to help with this discovery @KlausVii we'd really appreciate it. If not though, our next step as a maintainer team is to do some more discovery with the go-cloud SDK and see how it works for this use case.
We have used the go-cloud SDK elsewhere and have had positive experiences with it, so we at least have some confidence in it as a potential solution.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The one feature missing from go-cloud is fetching the authentication token from AWS, which is used as the password for your db connection. The issue this causes is that the token is only valid for 15min and if it is not refreshed, new connections will fail after the token expires.
I dug through the go-cloud source code , and could not find any code for retrieving this token. They seem to only inject some certificates for the AWS connection and expect the user to provide the password (which will expire if not refreshed) at initialisation.
This is why the extra work is required for the AWS IAM auth.
As to using go-cloud as at the underlying db driver for all the implantations, that should work just fine, it just does not provide a full end to end solution for AWS like it does GCP (might be a bit of google bias given its a google library).
Do let me know if I missed something with go-cloud, happy to be proven wrong.
As far as the maintenance burden, it should not be too high. The auth token just needs be fetched, injected, and refreshed close to expiry; this amounts to about 80 LoC to keep up to date, and I imagine the AWS side will remain very stable.
My draft implementation is about an evening's of work away from completion, so if I've somewhat convinced you, I'd be happy get into shape and open up a PR to show what this whole thing would look like.
Nice work! Has there been any progress on adopting this? Eliminating passwords from connection strings is such a crucial task - it seems surprising to me that this isn't more of a priority for a component central to authorization! |
RFC for adding cloud provider auth to openfga
References
openfga/openfga#870
Review Checklist
main