I am building a service using Python, Pony ORM and PostgreSQL. I plan hosting it in AWS. I will use AWS RDS PostgreSQL.
AWS supports passwordless connection to RDS (https://aws.amazon.com/premiumsupport/knowledge-center/rds-postgresql-connect-using-iam/, https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.Python.html).
Essentially, I have to generate a short-living password before connecting to my database:
session = boto3.Session(profile_name='RDSCreds')
client = session.client('rds')
token = client.generate_db_auth_token(DBHostname=ENDPOINT, Port=PORT, DBUsername=USER, Region=REGION)
conn = psycopg2.connect(host=ENDPOINT, port=PORT, database=DBNAME, user=USER, password=token, sslrootcert="SSLCERTIFICATE")
Is there a way to integrate this approach with Pony ORM? Under the hood Pony just delegates connection to psycopg2. psycopg2 accepts username and password. But how can I make sure that when Pony reconnects to the database, there's a token that it can use?
Related
Currently, our api (deployed on cloudRun) connects to our Postgres database by passing in a pgConfig with a db configuration and a db user and password.
For example:
const configObject = {
host: cloudRunHost,
user: dbUser,
password: dbPassword,
database: dbName
}
async function connect() {
if(!client) {
const pgPool = new pg.Pool(configObject);
await pgPool.connect()
.then((result) => {
logger.info('Connected to DB')
client = result;
}).catch((err) => {
logger.error(err);
});
}
}
We want the app itself to connect to the database by using Cloud SQL IAM database authentication
So far:
The api cloudRun instance has a service account
The database and CloudSQL has been configured for IAM-based access (we can access with our machine service accounts)
The api service account has access to the DB via IAM, and permissions granted to said user on the Postgres db itself
When the above code runs, it logs error: empty password returned by client
We've tried removing the password line entirely from the configObject but it hasn't helped. Any thoughts on why my service account can access the db directly but the api's can't I suspect we need to indicate to pgPool that we're trying to connect via IAM instead of via user/password.
Unfortunately, there isn't a good way to use "automatic" IAM DB AuthN on Cloud Run - while Cloud Run does use the proxy, there is no way for users to flip on the "-enable-iam-login" flag.
Go, Python, and Java users can use the language-specific connectors, but there isn't one for Node.js.
It looks like node-postgres does have support for dynamic passwords, so you might be able to do something like this:
const {GoogleAuth} = require('google-auth-library');
async function main() {
const auth = new GoogleAuth();
const pool = new pg.Pool({
connectionString: 'postgresql://user#db.example:5432/my-db',
password: async () => auth.getAccessToken(),
})
}
From your question I believe you are using NodeJS. But currently IAM database authentication is supported by Python Connector, Java Connector and Cloud SQL proxy which is mentioned here. Also to use Automatic IAM database authentication it is required to use a Cloud SQL connector.
IAM database authentication is currently supported by the Cloud SQL Auth proxy, the Java connector, and the Python connector.
Automatic IAM database authentication requires the use of a Cloud SQL connector.
As you are using NodeJS which is not supported, that seems to be the reason why you are getting an error: empty password returned by client.
I'm trying to connect from Oracle Database (dblink) to Postgresql database use Oracle Database Gateway (dg4msql 19), on the Oracle Database Gateway for MS SQL Server all work fine. On the Oracle DB create dblink, but when try to connect get Error message:
ORA-28500 Oracle ODBC SQL Server Wire Protocol driver Socket closed
08S01 Oracle ODBC SQL Server Wire protocol driver
The server does not support SSL {HY000} !
listener work, tnsnames.ora also give correct answer. May be in initdg4msql.ora file I have to use some string to connect without SSL?
HS_FDS_CONNECT_INFO = postgre_servet.net:5432//database - I don`t known that is correct for PostgreSQL, or for PostgreSQL should use only ODBC connection?
How correctly use HS_FDS_CONNECT_INFO = postgre_servet.net:5432//database, or for PostgreSQL should I use only ODBC connection?
The PostgreSQL server is not configured to accept SSL connections.
First, verify that PostgreSQL was built with SSL support: that can be seen from the output of pg_config --configure (should contain --with-openssl).
To configure SSL support, set ssl = on in postgresql.conf and provide a server certificate and private key (parameters ssl_vert_file and ssl_key_file). Reload PostgreSQL to activate.
For details, read the documentation.
We are new to Google Cloud SQL and have been trying to integrate pgbouncer with Google Cloud SQl Postgres and authenticate database users with SECURITY DEFINER function (which queries pg_shadow)
Our Configuration:
Server -> Pgbouncer + Cloud sql proxy (side car) -> Cloud SQL Postgres
Problem:
But as cloud sql postgres actually does not allow to read pg_shadow from a privileged user (i.e postgres user is not a superuser). This makes it impossible to setup pgbouncer with SECURITY DEFINER function.
Cloud SQL doesn't provide customers to use superuser (cloudsqladmin)
We've read through many articles (mostly cloud-proxy issues) where they have suggested to use pgbouncer but have not elaborated on the above problem.
Options not applicable:
Application level pooling (not feasible right now for us)
Authenticating using auth_file eg. users_list.txt (not recomended, needs manual management of database users)
What we are looking for:
We intend to run a single instance of cloudsql-proxy and pgbouncer which proxies and pools connections to cloudsql postgres database.
We would appreciate your help guys!
Can you help me to connect to Amazon RDS PostgreSQL Database from a VB.net Application. I already using a Npgsql .net data provider to connect to a local database.I am using the following connection string but getting a error message like
"Failed to establish a connection to
'ec2-dynanet-tomcat-new.cas1xn8fsgaw.ap-southeast-2.rds.amazonaws.com'."
conn = New NpgsqlConnection("Host=ec2-dynanet-tomcat-new.cas1xn8fsgaw.ap-southeast-2.rds.amazonaws.com;port=22;Username=xxx;Password=xxxx;Database=esurvey2")
Security Rule Screenshot
I provisioned Databases for PostgreSQL on IBM Cloud. Now I try to connect SQuirreL to my database. However, my attempts result in this error:
FATAL: no pg_hba.conf entry for host "xx.xx.xx.xx", user "myuser",
database "my-database", SSL off
Is this related to the JDBC driver or any SSL setting? The credentials say sslmode=verify-full, but not sure how to specify it in SQuirreL.
I was able to connect with the standard JDBC driver for PostgreSQL after changing the driver properties:
Simple, but not secure approach:
- ssl=true
- sslfactory=org.postgresql.ssl.NonValidatingFactory
Secure, more effort:
- download the SSL certificate as provided in the credentials
- add ?sslmode=verify-full&sslrootcert=path-to-certificate to the connection URI
Now SQuirrel connects to my database with IBM Cloud Databases for PostgreSQL. This also works with Hyper Protect DBaaS.