A "passwordless" login experience for your AWS RDS

RDS Auth Proxy

GitHub tag (latest SemVer) GitHub branch checks state Go Report Card

A two-layer proxy for connecting into RDS postgres databases based on IAM authentication.

This tool allows you to keep your databases firewalled off, manage database access through IAM policies, and no developer will ever have to share or type a password.

Running the proxy

Connecting with psql

This pairs extremely well with a tool like saml2aws to ensure all AWS/database access uses temporary credentials.

Documentation

End user documentation is available on our project site.

Design

One proxy is run in your VPC subnet that can reach your RDS instances, the other on your client machine (dev laptop, etc.) with access to aws credentials.

The client proxy is responsible for picking a host (RDS instance), and generating a temporary password based on the local IAM identity. The client proxy injects the host and password into the postgres startup message as additional parameters.

Client startup flow

The server proxy accepts a connection from the client proxy, and unpacks the host and password parameters. It then opens a connection to the RDS database and intercepts the authentication request. It then passes along the password it received from the client, and forwards the result to the client.

Auth overview

Releasing

CI handles building binaries and images on tag events.

To create a release, start with a dry-run on the main branch:

git checkout main
./build/release.sh --dry-run

Ensure that the changelog looks as expected, then run it for real:

./build/release.sh
Owner
Mothership
We’re building the future of freight to deliver what the world needs faster
Mothership
https://github.com/mothership/rds-auth-proxy https://mothership.github.io/rds-auth-proxy/
Similar Resources

Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

May 7, 2022

Aws-cdk-go-examples - Example projects using the AWS CDK by Golang

aws-cdk-go-examples Example projects using the AWS CDK by Golang Useful commands

Nov 24, 2022

Lambda stack to turn off and destroy all resources from your personal AWS Account to avoid billing surprises

Lambda stack to turn off and destroy all resources from your personal AWS Account to avoid billing surprises

AWS, Turn off my Account, please Lambda stack to turn off and destroy all resources from your personal AWS Account to avoid billing surprises Resource

Oct 25, 2022

efsu is for accessing AWS EFS from your machine without a VPN

efsu: VPN-less access to AWS EFS efsu is for accessing AWS EFS from your machine without a VPN. It achieves this by deploying a Lambda function and sh

Mar 11, 2022

Automatically roll your AWS IAM access key (aws_access_key_id) and secret key (aws_secret_access_key).

roll-it Keep your AWS Credentials fresh 🍊 on Windows, Mac, Linux (arm or x86)! What it Does Programmatically rotate your AWS IAM access keys and secr

Jan 6, 2023

`ls` but for your AWS VPC(s)

`ls` but for your AWS VPC(s)

lsvpc A simple AWS VPC listing tool to provide quick introspection on the makeup of a VPC One really cool use of this tool is to run: watch -c lsvpc -

Dec 30, 2021

AWS SDK for the Go programming language.

AWS SDK for Go aws-sdk-go is the official AWS SDK for the Go programming language. Checkout our release notes for information about the latest bug fix

Dec 31, 2022

Simple tool to search tagged resources between all AWS resouces

Welcome to Cloud Inventory Tags 👋 Simple tool to search tagged resources around all AWS Account Installation MacOS / OSX

Jan 26, 2022

Assume AWS IAM roles from GitHub Actions workflows with no stored secrets

Assume AWS IAM roles from GitHub Actions workflows with no stored secrets

AWS IAM roles for GitHub Actions workflows Background and rationale GitHub Actions are a pretty nice solution for CI/CD. Where they fall short is inte

Feb 12, 2022
Comments
  • Changelog & Conventional Commit linter

    Changelog & Conventional Commit linter

    • Support for conventional commit messages

    release.sh will do the following

    • Calculate the next version based on commit messages.
    • Create an updated CHANGELOG.txt file.
    • Output a command to commit changelog changes, tag, and push to origin.
    • Throw errors if any prerequisites aren't satisfied.

    POC using git-sv for version and changelog generation

  • Adds discovery API

    Adds discovery API

    Part one of refactoring the configuration / target discovery process. This will help us support different discovery clients and eventually different engines (database servers).

    This also happens to fix a bug due to threads accessing a mutable map. Decided against using a sync map for now in case we want to maintain a second map going from name -> target instead of looping over the array. The lock will let us modify both maps and show the result atomically.

  • feat: Add interceptors to proxy

    feat: Add interceptors to proxy

    • Add ability to add custom interceptors with WithQueryInterceptor
    • Add example interceptors showing how to send messages back to client before a long running task
    • First pass guard send calls with mutex
  • Bug: Need to sort target list when prompting user to pick db target

    Bug: Need to sort target list when prompting user to pick db target

    Describe the bug Target db names are not sorted in list of options

    To Reproduce

    Run rds-auth-proxy client twice, list won't be in the same order

    Expected behavior

    List should be in the same order

Related tags
Public API Wrappers aws security postgres authentication proxy iam rds
Attractify is a customer experience platform.
 Attractify is a customer experience platform.

We are developers and we hate to integrate marketing tools into websites and apps. We want clean APIs and no tools that generate garbage HTML that we

Nov 16, 2022
Simple no frills AWS S3 Golang Library using REST with V4 Signing (without AWS Go SDK)

simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b

Nov 4, 2022
Integrate AWS EKS Anywhere cluster with AWS Services
 Integrate AWS EKS Anywhere cluster with AWS Services

This article provides step-by-step instruction on integrating AWS EKS Anywhere with AWS Services so the applications running on customer data center can securely connect with these services.

Mar 6, 2022
Apis para la administracion de notifiaciones, utilizando servicios como AWS SNS y AWS SQS

notificacion_api Servicio para envío de notificaciónes por difusión en AWS SNS Especificaciones Técnicas Tecnologías Implementadas y Versiones Golang

Jan 7, 2022
AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.
 AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

Dec 20, 2022
A package for access aws service using AWS SDK for Golang

goaws ?? A package for access aws service using AWS SDK for Golang Advantage with goaws package Example for get user list IAM with AWS SDK for Golang

Nov 25, 2021
Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.
 Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.

tutor-pet API Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure. Macro architecture: Code architecture: Pre-Re

Aug 17, 2022
Aws-parameter-bulk - Export AWS SSM Parameter Store values in bulk to .env files

aws-parameter-bulk Utility to read parameters from AWS Systems Manager (SSM) Par

Oct 18, 2022
Aws-console-plugin - The current HashiCorp Vault AWS Secret Engine currently supports the creation of short lived API keys using the IAM User

aws-console-plugin Background The current HashiCorp Vault AWS Secret Engine curr

Feb 7, 2022
Aws-cognito-demo-go - Source code for AWS Cognito in Go

AWS Cognito Demo in Go Source code for YouTube series, AWS Cognito in Go - https

Dec 10, 2022