Cross-account IAM authentication support

[indyaah]

We are using aws-mysql-jdbc currently for RDS IAM auth between our services (pod-level IAM with EKS) and aurora clusters within same AWS account.

Going forward we have to support cross-account access between eks pods and aurora instances, we were wondering if there is a way to configure cross-account IAM auth with this library out of the box. My reading of the code/docs dint turn up anything.

If there is nothing out of the box, I was thinking if we could manage to override credentials provider in plugin as sts credential provider based on new iamRole (or some better name) property similar to profile based configuration. Would that be an acceptable change/enhancement?

PS: We have to migrate to this library regardless but our new cross-account IAM access is accelerating that migration.

[indyaah]

Furhter reading I found a simpler example

aws-advanced-jdbc-wrapper/examples/AWSDriverExample/src/main/java/software/amazon/AwsCredentialsManagerExample.java

Lines 46 to 55 in 2e6ae7f

	// Configure AwsCredentialsManager to use EnvironmentVariableCredentialsProvider when connecting
	// to MySQL and DefaultCredentialsProvider otherwise.
	AwsCredentialsManager.setCustomHandler((hostSpec, props) -> {
	if (MYSQL_URL.equals(hostSpec.getHost())) {
	return EnvironmentVariableCredentialsProvider.create();
	} else {
	return DefaultCredentialsProvider.create();
	}
	});

This would require us to make a widespread code change but is definitely a possibility.

[indyaah]

Also there is already a nice documentation : https://github.com/aws/aws-advanced-jdbc-wrapper/blob/main/docs/using-the-jdbc-driver/custom-configuration/AwsCredentialsConfiguration.md

[szantopeter]

I had the same issue, and I was able to fix it as simple as

public static void main(String[] args) {

	setStsAssumeRoleCredentialsForJdbcDriver();

	SpringApplication.run(RdspocApplication.class, args);
}

private static void setStsAssumeRoleCredentialsForJdbcDriver() {
	AwsCredentialsManager.setCustomHandler((hostSpec, props) -> {
		StsClient stsClient = StsClient.builder().build();
		
		Logger logger = LoggerFactory.getLogger(RdspocApplication.class);
		logger.info("Setting STS Assume Role Credentials for JDBC Driver with hostSpec: {} and props: {}", hostSpec, props);

		return StsAssumeRoleCredentialsProvider.builder()
				.stsClient(stsClient)
				.refreshRequest(builder -> builder
						.roleArn("arn:aws:iam::OTHER_ACCOUNT_ID:role/remote-rds-iam-auth")
						.roleSessionName("spring-boot-session"))
				.build();
	});
}

I still think it would be more elegant if this would be provided as part of the JDBC driver, but at least it can be easily implemented

[indyaah]

Thank you for the example @szantopeter