lua-resty-aws

• Index

Contents

• Functions

Modules

• resty.aws.config
• resty.aws.service.rds.signer
• resty.aws.utils

Classes

• AWS
• ChainableTemporaryCredentials
• CredentialProviderChain
• Credentials
• EC2MetadataCredentials
• EnvironmentCredentials
• RemoteCredentials
• SharedFileCredentials
• TokenFileWebIdentityCredentials

Topics

• README

Module resty.aws.service.rds.signer

Signer class for RDS tokens for RDS DB access.

See IAM database authentication for MariaDB, MySQL, and PostgreSQL for more information on using IAM database authentication with RDS.

RDS services created will get a Signer method to create an instance. The Signer will inherit its configuration from the AWS instance (not from the RDS instance!).

Functions

Signer:getAuthToken (opts)

Return an authorization token used as the password for a RDS DB connection.

Functions

Signer:getAuthToken (opts)

Return an authorization token used as the password for a RDS DB connection. The example shows how to use getAuthToken to create an authentication token for connecting to a PostgreSQL database in RDS.

Parameters:

• opts configuration to use, to override the options inherited from the underlying AWS instance;
  • region string The AWS region
  • hostname string the DB hostname to connect to, eg. "DB_INSTANCE.DB_CLUSTER.us-east-1.rds.amazonaws.com"
  • port number the port for the DB connection
  • username string username of the account in the database to sign in with
  • credentials Credentials aws credentials

Returns:

token, err - Returns the token to use as the password for the DB connection, or nil and error if an error occurs

Usage:

local pgmoon = require "pgmoon"
local AWS = require("resty.aws")
local AWS_global_config = require("resty.aws.config").global
local aws = AWS { region = AWS_global_config.region }
local rds = aws:RDS()


local db_hostname = "DB_INSTANCE.DB_CLUSTER.us-east-1.rds.amazonaws.com"
local db_port = 5432
local db_name = "DB_NAME"

local signer = rds:Signer {  -- create a signer instance
  hostname = db_hostname,
  username = "db_user",
  port = db_port,
  region = nil,              -- will be inherited from aws
  credentials = nil,         -- will be inherited from aws
}

-- use the 'signer' to generate the token, whilst overriding some options
local auth_token, err = signer:getAuthToken {
  username = "another_user"  -- this overrides the earlier provided config above
}

if err then
  ngx.log(ngx.ERR, "Failed to build auth token: ", err)
  return
end

local pg = pgmoon.new({
  host = db_hostname,
  port = db_port,
  database = db_name,
  user = "another_user",
  password = auth_token,
  ssl = true,
})

local flag, err = pg:connect()
if err then
 ngx.log(ngx.ERR, "Failed to connect to database: ", err)
 return
end

-- Test query
assert(pg:query("select * from users where status = 'active' limit 20"))