Skip to content

feat(db): add AWS RDS IAM authentication support #563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fossouo wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat(db): add AWS RDS IAM authentication support #563

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c530b5e
feat(db): add AWS RDS IAM authentication support
dfosso Apr 14, 2026
40dece5
fix: address CodeRabbit review feedback
dfosso Apr 14, 2026
c8d4f92
chore: exclude .kiro specs and test script from PR
dfosso Apr 14, 2026
001b289
fix: address CodeRabbit round 2 feedback
dfosso Apr 14, 2026
37d7d04
refactor: scope PR to core IAM auth plumbing, rebase on #459
dfosso Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .env.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,18 @@ DB_CONNECTION_URI=postgresql+psycopg://postgres:postgres@localhost:5432/postgres
# DB_SQL_DEBUG=false
# DB_TRACING=false

# AWS IAM Authentication for RDS
# Set DB_AUTH_METHOD to "iam" to use IAM token-based authentication instead of
# static passwords. When set to "iam", the following fields are required:
# DB_AWS_REGION, DB_RDS_HOSTNAME, DB_RDS_PORT, DB_RDS_USERNAME.
# DB_AUTH_METHOD=password
# DB_AWS_REGION=us-east-1
# DB_RDS_HOSTNAME=your-rds-instance.region.rds.amazonaws.com
# DB_RDS_PORT=5432
# DB_RDS_USERNAME=iam_db_user
# DB_AWS_PROFILE= # Optional: named AWS credentials profile
# DB_RDS_SSL_CA_BUNDLE= # Optional: path to AWS RDS CA certificate bundle

# =============================================================================
# Authentication Settings
# =============================================================================
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,3 +193,4 @@ metrics.jsonl
AGENTS.md
lancedb_data/
grafana-data/
.kiro/
13 changes: 13 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,19 @@ ENV UV_CACHE_DIR=/tmp/uv-cache
# Create non-root user and set ownership
RUN addgroup --system app && adduser --system --group app && mkdir -p /tmp/uv-cache && chown -R app:app /app /tmp/uv-cache

# Download AWS RDS CA certificate bundle for SSL connections to RDS
RUN mkdir -p /usr/local/share/aws && \
python - <<'PY'
import urllib.request
from pathlib import Path

url = "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem"
dst = Path("/usr/local/share/aws/global-bundle.pem")
urllib.request.urlretrieve(url, dst)
if not dst.exists() or dst.stat().st_size == 0:
raise RuntimeError("Failed to download AWS RDS CA bundle")
PY

Comment on lines +41 to +53
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Harden CA bundle download (integrity + retry).

The current build step fetches trust material without integrity verification, which weakens supply-chain guarantees and reproducibility.

🔒 Suggested hardening 
+# Optional: pin expected digest via build arg and rotate intentionally.
+ARG RDS_CA_BUNDLE_SHA256
 # Download AWS RDS CA certificate bundle for SSL connections to RDS
-RUN mkdir -p /usr/local/share/aws && \
-    python -c "import urllib.request; urllib.request.urlretrieve('https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem', '/usr/local/share/aws/global-bundle.pem')"
+RUN mkdir -p /usr/local/share/aws && \
+    python - <<'PY'
+import hashlib
+import urllib.request
+from pathlib import Path
+
+url = "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem"
+dst = Path("/usr/local/share/aws/global-bundle.pem")
+urllib.request.urlretrieve(url, dst)
+if not dst.exists() or dst.stat().st_size == 0:
+    raise RuntimeError("Failed to download AWS RDS CA bundle")
+PY
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 41 - 44, The Dockerfile step that downloads
global-bundle.pem currently fetches it without integrity checks or retries;
update the RUN that creates /usr/local/share/aws and downloads global-bundle.pem
to (1) accept or set a known SHA256 checksum (via a build ARG or hardcoded
variable), (2) use a downloader with retry/timeout flags (curl or wget with
--retry/--tries, --fail, and reasonable timeouts) and (3) immediately verify the
file with sha256sum (or shasum) and fail the build if the checksum does not
match, so the image build aborts on mismatch; reference the existing RUN that
writes /usr/local/share/aws/global-bundle.pem and ensure the command returns
non-zero on download or verification failure.

COPY --chown=app:app src/ /app/src/
COPY --chown=app:app migrations/ /app/migrations/
COPY --chown=app:app scripts/ /app/scripts/
Expand Down
11 changes: 11 additions & 0 deletions config.toml.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,17 @@ POOL_USE_LIFO = true
SQL_DEBUG = false
TRACING = false

# AWS IAM authentication for RDS
# Set AUTH_METHOD to "iam" to use IAM token-based authentication instead of static passwords.
# When AUTH_METHOD is "iam", AWS_REGION, RDS_HOSTNAME, RDS_PORT, and RDS_USERNAME are required.
# AUTH_METHOD = "password" # "password" or "iam"
# AWS_REGION = "us-east-1"
# RDS_HOSTNAME = "your-rds-instance.region.rds.amazonaws.com"
# RDS_PORT = 5432
# RDS_USERNAME = "iam_db_user"
# AWS_PROFILE = "" # Optional: named AWS credentials profile
# RDS_SSL_CA_BUNDLE = "" # Optional: path to AWS RDS CA certificate bundle

# Authentication settings
[auth]
USE_AUTH = false
Expand Down
16 changes: 16 additions & 0 deletions docker-compose.yml.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,14 @@ services:
- DB_CONNECTION_URI=postgresql+psycopg://postgres:postgres@database:5432/postgres
- CACHE_URL=redis://redis:6379/0?suppress=true
- CACHE_ENABLED=true
# -- AWS RDS IAM authentication (replace DB_CONNECTION_URI above and uncomment) --
# - DB_AUTH_METHOD=iam
# - DB_AWS_REGION=us-east-1
# - DB_RDS_HOSTNAME=your-rds-instance.xxxxxxxxxxxx.us-east-1.rds.amazonaws.com
# - DB_RDS_PORT=5432
# - DB_RDS_USERNAME=iam_db_user
# - DB_AWS_PROFILE= # optional: named AWS credentials profile
# - DB_RDS_SSL_CA_BUNDLE=/usr/local/share/aws/global-bundle.pem
env_file:
- path: .env
required: false
Expand All @@ -52,6 +60,14 @@ services:
- DB_CONNECTION_URI=postgresql+psycopg://postgres:postgres@database:5432/postgres
- CACHE_URL=redis://redis:6379/0?suppress=true
- CACHE_ENABLED=true
# -- AWS RDS IAM authentication (replace DB_CONNECTION_URI above and uncomment) --
# - DB_AUTH_METHOD=iam
# - DB_AWS_REGION=us-east-1
# - DB_RDS_HOSTNAME=your-rds-instance.xxxxxxxxxxxx.us-east-1.rds.amazonaws.com
# - DB_RDS_PORT=5432
# - DB_RDS_USERNAME=iam_db_user
# - DB_AWS_PROFILE= # optional: named AWS credentials profile
# - DB_RDS_SSL_CA_BUNDLE=/usr/local/share/aws/global-bundle.pem
env_file:
- path: .env
required: false
Expand Down
Loading