AWS RDS IAM Connection
Hosting in AWS requires special compliance for credentials. I need to use IAM authentication to connect to RDS (an other services) -- is this immediately supported here? Or should I fork the source and implement it directly? https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html
Connecting to your DB instance using IAM authentication - Amazon Re...
With IAM database authentication, you use an authentication token when you connect to your DB instance . An authentication token is a string of characters that you use instead of a password. After you generate an authentication token, it's valid for 15 minutes before it expires. If you try to connect using an expired token, the connection reques...
7 Replies
Looks to me just like any other Postgres connection string that you can pass to the Langfuse container as an env: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html
Connecting to your DB instance using IAM authentication - Amazon Re...
With IAM database authentication, you use an authentication token when you connect to your DB instance . An authentication token is a string of characters that you use instead of a password. After you generate an authentication token, it's valid for 15 minutes before it expires. If you try to connect using an expired token, the connection reques...
Is there something specific about this that breaks / that you’d need to add to Langfuse?
RDS IAM Auth rotates the auth token every 15 minutes, so the string you pass as an env variable will expire unless explicitly refreshed. It's easy to refresh the token... I could probably fork the repo and implement it, but I would rather not have to do that
Some teams rotate the token automatically via the env. This should also work if it’s done every 15 min.
Can’t you explicitly refresh it on this cadence? Is there an overlapping time where two tokens are safe to be used to not cause any downtime?
Well, yeah I can rotate them but the variables are set at the container level, right? I can create like a sidecar (or some background CLI process) to refresh the token, but that won't update the process env in the node app (I don't think?)... sorry I am not super familiar with ins-and-outs of node.js
Makes sense. I’m not familiar with RDS IAM.
As this has not come up with other teams that deploy on AWS, I’d be wary to add logic to Langfuse to rotate these keys as this is complexity in a very critical piece of the application
If there’s a way for you to change the envs, this would probably the best solution. I’d imagine that most applications don’t come with logic purposely build for RDS IAM but rather expect a connection string
What I want to say: there’s probably a good way to solve this without needing to fork Langfuse (you’d need to maintain your fork)
Yeah, I'm not super familiar with the backend framework, but if the connection password is read in each time rather than once at the beginning of the server start, then that would allow flexibility to have the creds rotate