使用IAM身份验证和Spring JDBC（DataSource和JdbcTemplace）访问AWS RDS [英] Accessing AWS RDS using IAM Authentication and Spring JDBC (DataSource and JdbcTemplace)

问题描述

我无法弄清楚如何实现这一点。任何帮助和/或指示将不胜感激。

I am not able to figure out how to implement this. Any help and/or pointers will be greatly appreciated.

目前，我的Java / Spring应用程序后端部署在 EC2 并访问 MySQL上的RDS 成功使用常规的Spring JDBC设置。也就是说，将数据库信息存储在 application.properties 中并配置 DataSource 和 JdbcTemplate 在 @Configuration 类中。一切正常。

Currently, my Java/Spring application backend is deployed on EC2 and accessing MySQL on RDS successfully using the regular Spring JDBC setup. That is, storing database info in application.properties and configuring DataSource and JdbcTemplate in @Configuration class. Everything works fine.

现在，我需要在RDS 安全上访问MySQL。 RDS实例已启用IAM身份验证。我还成功创建了 IAM角色并应用了内嵌政策。然后，按照此链接，我能够使用身份验证令牌成功地从独立Java类访问数据库，并且我创建的用户而不是常规的db用户名和密码。这个独立的Java类直接处理连接对象。

Now, I need to access MySQL on RDS securely. RDS instance has IAM Authentication enabled. I have also successfully created IAM role and applied inline policy. Then, following the AWS RDS documentation and Java example on this link, I am able to access the database from a standalone Java class successfully using Authentication Token and the user I created instead of regular db username and password. This standalone Java class is dealing with "Connection" object directly.

我被困的地方是我如何将它转换为Spring JDBC配置。也就是说，在我的@Configuration类中为此设置 DataSource 和 JdbcTemplate bean。

The place I am stuck is how I translate this to Spring JDBC configuration. That is, setting up DataSource and JdbcTemplate beans for this in my @Configuration class.

实现此目的的正确/正确方法是什么？

What would be a correct/right approach to implement this?

-----编辑 - 开始---- -

我正在尝试将其实现为可用于多个项目的库。也就是说，它将用作JAR并在项目的POM文件中声明为依赖项。该库将包括可配置的AWS服务，例如使用通用DB用户名和密码的RDS访问，使用IAM身份验证的RDS访问，用于数据加密的KMS（CMK /数据密钥）等。

I am trying to implement this as a library that can be used for multiple projects. That is, it will be used as a JAR and declared as a dependency in a project's POM file. This library is going to include configurable AWS Services like this RDS access using general DB username and password, RDS access using IAM Authentication, KMS (CMK/data keys) for data encryption, etc.

想法是在任何网络/应用服务器上使用此库，具体取决于项目。

Idea is to use this library on any web/app server depending on the project.

希望这可以澄清我的需求。

Hope this clarifies my need more.

-----编辑 - 结束-----

DataSource内部有getConnection（）所以我基本上可以创建自己的DataSource实现来实现我想要的。但这是一个好方法吗？

DataSource internally has getConnection() so I can basically create my own DataSource implementation to achieve what I want. But is this a good approach?

类似于：

public class MyDataSource implements DataSource {
    @Override
    public Connection getConnection() throws SQLException {
        Connection conn = null;
        // get a connection using IAM Authentication Token for accessing AWS RDS, etc. as in the AWS docs
        return conn;
    }

    @Override
    public Connection getConnection(String username, String password) throws SQLException {
        return getConnection();
    }

    //other methods
} 

推荐答案

您可以使用以下代码段替换SpringBoot / Tomcat提供的默认连接池。它将每10分钟刷新一次令牌密码，因为令牌有效期为15分钟。此外，它假定可以从DNS主机名中提取区域。如果不是这种情况，则需要指定要使用的区域。

You can use the following snippet as a replacement for the default connection-pool provided by SpringBoot/Tomcat. It will refresh the token password every 10 minutes, since the token is valid for 15 minutes. Also, it assumes the region can be extracted from the DNS hostname. If this is not the case, you'll need to specify the region to use.

public class RdsIamAuthDataSource extends org.apache.tomcat.jdbc.pool.DataSource {

private static final Logger LOG = LoggerFactory.getLogger(RdsIamAuthDataSource.class);

/**
 * The Java KeyStore (JKS) file that contains the Amazon root CAs
 */
public static final String RDS_CACERTS = "/rds-cacerts";
/**
 * Password for the ca-certs file.
 */
public static final String PASSWORD = "changeit";
public static final int DEFAULT_PORT = 3306;

@Override
public ConnectionPool createPool() throws SQLException {
    return pool != null ? pool : createPoolImpl();
}

protected synchronized ConnectionPool createPoolImpl() throws SQLException {
    return pool = new RdsIamAuthConnectionPool(poolProperties);
}

public static class RdsIamAuthConnectionPool extends ConnectionPool implements Runnable {

    private RdsIamAuthTokenGenerator rdsIamAuthTokenGenerator;
    private String host;
    private String region;
    private int port;
    private String username;
    private Thread tokenThread;

    public RdsIamAuthConnectionPool(PoolConfiguration prop) throws SQLException {
        super(prop);
    }

    @Override
    protected void init(PoolConfiguration prop) throws SQLException {
        try {
            URI uri = new URI(prop.getUrl().substring(5));
            this.host = uri.getHost();
            this.port = uri.getPort();
            if (this.port < 0) {
                this.port = DEFAULT_PORT;
            }
            this.region = StringUtils.split(this.host,'.')[2]; // extract region from rds hostname
            this.username = prop.getUsername();
            this.rdsIamAuthTokenGenerator = RdsIamAuthTokenGenerator.builder().credentials(new DefaultAWSCredentialsProviderChain()).region(this.region).build();
            updatePassword(prop);
            final Properties props = prop.getDbProperties();
            props.setProperty("useSSL","true");
            props.setProperty("requireSSL","true");
            props.setProperty("trustCertificateKeyStoreUrl",getClass().getResource(RDS_CACERTS).toString());
            props.setProperty("trustCertificateKeyStorePassword", PASSWORD);
            super.init(prop);
            this.tokenThread = new Thread(this, "RdsIamAuthDataSourceTokenThread");
            this.tokenThread.setDaemon(true);
            this.tokenThread.start();
        } catch (URISyntaxException e) {
            throw new RuntimeException(e.getMessage());
        }
    }

    @Override
    public void run() {
        try {
            while (this.tokenThread != null) {
                Thread.sleep(10 * 60 * 1000); // wait for 10 minutes, then recreate the token
                updatePassword(getPoolProperties());
            }
        } catch (InterruptedException e) {
            LOG.debug("Background token thread interrupted");
        }
    }

    @Override
    protected void close(boolean force) {
        super.close(force);
        Thread t = tokenThread;
        tokenThread = null;
        if (t != null) {
            t.interrupt();
        }
    }

    private void updatePassword(PoolConfiguration props) {
        String token = rdsIamAuthTokenGenerator.getAuthToken(GetIamAuthTokenRequest.builder().hostname(host).port(port).userName(this.username).build());
        LOG.debug("Updated IAM token for connection pool");
        props.setPassword(token);
    }
}
}

请注意你会需要导入Amazon的根/中间证书才能建立可信连接。上面的示例代码假定证书已导入到名为rds-cacert的文件中，并且在类路径中可用。或者，您也可以将它们导入JVM的cacerts文件。

Please note that you'll need to import Amazon's root/intermediate certificates to establish a trusted connection. The example code above assumes that the certificates have been imported into a file called 'rds-cacert' and is available on the classpath. Alternatively, you can also import them into the JVM 'cacerts' file.

要使用此数据源，可以使用Spring的以下属性：

To use this data-source, you can use the following properties for Spring:

datasource:
  url: jdbc:mysql://dbhost.xyz123abc.us-east-1.rds.amazonaws.com/dbname
  username: iam_app_user
  driver-class-name: com.mysql.cj.jdbc.Driver
  type: com.mydomain.jdbc.RdsIamAuthDataSource

使用Spring Java配置：

Using Spring Java config:

@Bean public DataSource dataSource() { 
    PoolConfiguration props = new PoolProperties(); 
    props.setUrl("jdbc:mysql://dbname.abc123xyz.us-east-1.rds.amazonaws.com/dbschema"); 
    props.setUsername("iam_dbuser_app"); 
    props.setDriverClassName("com.mysql.jdbc.Driver"); 
    return new RdsIamAuthDataSource(props); 
}

这篇关于使用IAM身份验证和Spring JDBC（DataSource和JdbcTemplace）访问AWS RDS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！