使用 Boto3 进行 IAM 身份验证的 SQLAlchemy 可刷新凭据 [英] SQLAlchemy refreshable credentials for IAM auth with Boto3

问题描述

我正在使用 Boto3 生成的身份验证令牌通过 Sqlalchemy 连接到 Amazon RDS:

I am connecting to Amazon RDS with Sqlalchemy using a Boto3 generated auth-token:

self.client = boto3.client("rds", region_name="eu-central-1")
self.token = self.client.generate_db_auth_token(
   self.endpoint, self.port, self.user
)

connection_string = (
   f"postgresql://{urlquote(self.user)}:"
   f"{urlquote(self.token)}@{self.endpoint}:{self.port}/dummy"
)

self.engine = db.create_engine(connection_string)

问题是提供的令牌仅在 15 分钟内有效(我想使用临时凭据！)，我现在不知道如何告诉 SQLAlchemy 在旧令牌过期时自动创建新的身份验证令牌.

The problem is that the provided token is only valid for 15 minutes (I want to use temporary credentials!) and i don't now how i can tell SQLAlchemy to automatically create a new authentication token when the old one expires.

我找到了 creator 参数，但是当令牌无效时似乎不会调用此函数:

I found the creator argument, but this function seems not to be called when the token gets invalid:

def get_new_connection(self):
    self.token = self.client.generate_db_auth_token(
        self.endpoint, self.port, self.user
    )
    conn = psycopg2.connect(
        f"dbname='dummy' user='{self.user}' host='{self.endpoint}' password='{self.token}'"
    )
    return conn


 self.engine = db.create_engine(
 connection_string, creator=self.get_new_connection
 )

是否有内置函数，或更优雅的方法来解决这个问题?

Is there a build in function for this, or a more elegant way to solve this?

推荐答案

根据 SQLAlchemy 文档，使用易失性身份验证凭据的正确"方法是利用事件系统:

According to the SQLAlchemy documentation, the 'correct' way of working with volatile authentication credentials is to make use of the events system:

生成动态身份验证令牌

DialectEvents.do_connect() 也是动态插入的理想方式可能会在整个生命周期内发生变化的身份验证令牌引擎.例如，如果令牌是由get_authentication_token() 并在令牌中传递给 DBAPI参数，这可以实现为:

DialectEvents.do_connect() is also an ideal way to dynamically insert an authentication token that might change over the lifespan of an Engine. For example, if the token gets generated by get_authentication_token() and passed to the DBAPI in a token parameter, this could be implemented as:

from sqlalchemy import event

engine = create_engine("postgresql://user@hostname/dbname")

@event.listens_for(engine, "do_connect")
def provide_token(dialect, conn_rec, cargs, cparams):
    cparams['token'] = get_authentication_token()

尽管有多种使用 SQLAlchemy 事件系统的方法，我强烈建议您阅读 首先是关于如何处理事件的文档，然后根据您的特定需求选择正确的实现/机制.

There are multiple ways of working with the SQLAlchemy events system though, I urge you to read the documentation on how to work with events in the first place and pick the right implementation/mechanism for your specific need.

根据这些信息，我能够在引擎需要建立新连接时生成新的 RDS IAM 密码.

Based on this information I was able to generate a new RDS IAM password whenever the engine needed to establish a new connection.

这篇关于使用 Boto3 进行 IAM 身份验证的 SQLAlchemy 可刷新凭据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！