[GitHub] [airflow] albertocalderari opened a new issue, #30368: Allow backend DB to authenticate using

[via GitHub]

albertocalderari opened a new issue, #30368:
URL: https://github.com/apache/airflow/issues/30368

   ### Description
   
   Based on [this](https://github.com/apache/airflow/discussions/30283) 
discussion.
   Currrently there is no way to use token identity to authenticate with amazon 
RDS without a fairly significant change to the helm charts and airflow code.
   
   I will implement this functionality and add the helm options as:
   
   ```yaml
   externalDatabase:
     type: postgres
     host: airflow-cluster.<uniqueId>.us-east-1.rds.amazonaws.com
   
     ## the port of the external database
     ##
     port: 5432
   
     ## the database/scheme to use within the external database
     ##
     database: airflow
   
     ## the username for the external database
     ##
     user: airflow
   
     awsRdsTokenIdentity:
       enabled: true
       region: us-east-1
       connectionExpirySeconds: 600
   ```
   
   And use sqlalchemy envents to provide the token.
   ```python
   def amend_connection(cparams):
       if conf.getboolean("database", "use_aws_token_identity"):
           log.info(f'connecting user {cparams["user"]} to 
{cparams["host"]}:{cparams["host"]} using pod identity')
           client = boto3.client(
               "rds",
               region_name=conf.get_mandatory_value("database", "aws_region"),
           )
           token = client.generate_db_auth_token(
               DBHostname=cparams["host"],
               Port=cparams["port"],
               DBUsername=cparams["user"],
           )
           cparams["password"] = token
       else:
           log.info(f'connecting  {cparams["user"]} using user/password')
   
   @event.listens_for(engine, "do_connect")
   def provide_token(dialect, conn_rec, cargs, cparams):
       amend_connection(cparams)
       
   ```
   
   ### Use case/motivation
   
   Temporary credentials are a security feature generally required secops and a 
general good practice these days, so it makes sense for me to support them.
   
   ### Related issues
   
   _No response_
   
   ### Are you willing to submit a PR?
   
   - [X] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org