Is there a way through the aws api to get the connection string for a RDS database? Something in the form of:
postgres://username:password#host/db_name
No there's no API call that will build that string for you.
However, using the DescribeDBInstances API call you can retrieve the MasterUsername, DBName ("the name of the initial database of this instance that was provided at create time, if one was specified when the DB instance was created") and host (through the Endpoint.Address field) and build the string yourself.
For the password, you'll have to provide it yourself in a secure manner, since RDS cannot retrieve it through API calls.
Related
I am running a small go application inside ec2 instance. It access Amazon SQS as a consumer. I have configured keys at ~/.aws/credential file. The EC2 instance has been assigned an IAM role.
Can my go application use the IAM role assigned to the EC2 instance?
If yes, how that can be done using configurations without a code change ?
If role is configured, should I still provide keys in somewhere ?
If you used github.com/aws/aws-sdk-go-v2/config and config.LoadDefaultConfig() method to retrieve AWS credentials,
Yes. Your application will retrieve temporary credentials with IAM Role you assigned.
aws-sdk-go-v2 will retrieve credentials from instance metadata. Detailed retrieving process is described AWS official docs here. "How do roles for EC2 instances work" section describes the process as below.
When the application runs, it obtains temporary security credentials from Amazon EC2 instance metadata, as described in Retrieving Security Credentials from Instance Metadata. These are temporary security credentials that represent the role and are valid for a limited period of time.
With some AWS SDKs, the developer can use a provider that manages the temporary security credentials transparently. (The documentation for individual AWS SDKs describes the features supported by that SDK for managing credentials.)
Alternatively, the application can get the temporary credentials directly from the instance metadata of the EC2 instance. Credentials and related values are available from the iam/security-credentials/role-name category (in this case, iam/security-credentials/Get-pics) of the metadata. If the application gets the credentials from the instance metadata, it can cache the credentials.
Also you can refer to here about aws-sdk-go-v2's credential retrieval order.
You don't have to provide key. aws-sdk-go-v2 will retrieve it from EC2 instance metadata.
Before I deploy a function app and functions through PowerShell > ARM template I dynamically get a service bus connection string and update the value in the connection binding in the function.json file. Then I deploy the function app and function.
Deployment works, but the function app returns an error message:
Microsoft.Azure.WebJobs.ServiceBus: Microsoft Azure WebJobs SDK ServiceBus connection string 'Endpoint=sb://sbname.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;[Hidden Credential]' is missing or empty.
The question is: Do we really have to create an application setting on the function app with this connection string in it? Is there no other option than using the app setting?
It feels like storing the connection string in another location than on the service bus would just create another vulnerability.
I am aware that I could define "connection": "RootManageSharedAccessKey_SERVICEBUS" in the function.json file and then create an app setting with that same name, but that's not the way forward I want to go.
Please check if my findings help to:
Instead of storing the Service Bus Connection String directly, you can utilize the Azure Key Vault Service or Azure App Configuration Service.
You can store the confidential values like Connection Strings, Key-value pairs, Client Secrets, Certificate Passwords, etc. in Azure Key Vault.
Assume you have stored the ServiceBus connection string in the Key Vault. That you want to retrieve in the Function App through Application Settings but here in the app setting you can define as:
"connection": #Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/RootManageSharedAccessKey_SERVICEBUS/)
This KeyVault URI cannot be accessed by any other user until they are assigned with System or User Assigned Managed Identity Permission.
Azure App Configuration is a central place where you can manage application settings and secure their accesses in one place. Refer here for more information.
How can I monitor the most simple way if Hasura has proper connection to the database or if the database is reachable in a correct way?
I am thinking to create a hasura endpoint which just executes some dummy query over the database, but I couldn't figure out how to implement this in Hasura.
Maybe Hasura has something build in for this part?
Hasura's health check endpoint gives information about the server health and metadata inconsistencies (in this case, database connection issue).
You can read more about the API here - https://hasura.io/docs/latest/graphql/core/api-reference/health.html
We are trying to connect to Microsoft SQL Server installed in an Azure VM (IaaS) from Datastage using API.
Currently, we are using JDBC connector to connect to Microsoft SQL Server (IaaS) using a service account and its password. But, on a new server, we have to reset the password every three months in Azure. Also, same service account is being used by other applications.
We have to create the change request to reflect the new password in the datastage PROD environment. Also, we are getting separated service account to use in Datastage.
To avoid the password reset or lock issue, we are planning use API to get the password for connecting to the DB.
API DB connection is working in Alteryx. Can you please let us know is it possible to connect and ways to do so in Datastage 11.7.1.2. Also, please let me know any other feasible solution for this problem, if the API connection is not possible.
I assume you know how to fetch the password via command line interface from your cloud service.
Store the password as datastage environment variable which is then used in the job.
Use a shell script to update the password. In the script, check first if the password has changed. If it did, run the dsadmin -envset command to set the environment variable to a new value. You might need to encrypt the new value using the encrypt command located in .../ASBNode/bin. Call the script every time before running the parallel job.
You should test if the change of an environment variable will be recognized by the job just in time when the script and the job are called by the same sequence. It might not work if the param is passed-through by the sequence.
Please read the IBM docs about the commands I mentioned.
I'm going to deploy a website to Azure using MongoLab, but I got into a bit of confusion.
When I log to MongoLab site I get one Uri, but in the Azure site, if I hit connection string I get a different one. The Azure one is quite long and there is no space for putting user and password.
I get the Azure connection string when I select it in the main management site and hit the Connection Info button below. The other one I see it in the MongoLab site.
Also, I made the MongoLab DB from within the Azure Portal.
The connection string I see in Azure is this
mongodb://AzureAppServiceName:M.qKtufxLrRxv.1SwDBKelfkchdjCe08Cmv79lvTD2I-#ds035747.mongolab.com:port/DBName
And the one in MongoLab site is this:
mongodb://<dbuser>:<dbpassword>#ds035747.mongolab.com:port/DBName
Which one should I use?
I'm wondering that one is for direct connection to MongoLab when there is no restriction of ports whatsoever, such as development, and the other one is to connect when the site is deployed because of internal network restrictions in the Azure infrastructure.
Is this understanding correct?
The connection string provided in the MongoLab UI is a template that can be used when constructing your own URI when you create database users of your own.
When you provision a MongoLab database using the MongoLab addon in the Azure store, MongoLab passes the connection URI we generate to Azure. This pre-generated URI is the one available in the "Connection Info" section of the addon screen.
You can immediately use that URI in the connection info screen as suggested in the Quick Start provided at the top of this article: http://azure.microsoft.com/en-us/documentation/articles/store-mongolab-web-sites-dotnet-store-data-mongodb/. The quick start provides the steps for transferring the addon connection info to the environment variables of an Azure website.
It is also, as other responses suggest, entirely plausible to use that URI elsewhere or to create your own username and password after SSOing to MongoLab (using the URI template at the top of the page to construct a URI of your own).
Don't hesitate to email us at support#mongolab.com directly if you have any questions!
Sincerely,
Eric#MongoLab
You should go with the one provided when you go to the details of your database on the MongoLab site. It should look like this
mongodb://<dbuser>:<dbpassword>#ds048537.mongolab.com:48537/<databasename>
I don't know what kind of connection string Azure is showing you, but the format above works pretty well on Azure.