@acsrujanchecks…feat/iam-auth-db-redis → production11 files · +364 −80updated 2w agoThis PR adds IAM-based authentication for PostgreSQL (via RDS Proxy) and Redis (via ElastiCache) across the hermes monorepo, replacing static password credentials with short-lived tokens issued by AWS IAM. All existing env vars remain as fallback when AWS credentials are not available (local dev / non-AWS environments).
apps/thermos/db/fx.goopenPostgresDB() helper that uses a custom driver.Connector (iamConnector) to call rdsauth.BuildAuthToken on every new connection, generating a fresh 15-minute IAM token.sql.Open("postgres", dsn) if aws-sdk-go-v2 cannot retrieve credentials.THERMOS_DATABASE_URL, TOOLKIT_REGISTRY_DB_URL, THERMOS_WORKER_DB) now go through this helper.github.com/aws/aws-sdk-go-v2/feature/rds/auth dependency; ran go mod tidy.AWS_REGION env var in lib/env/env.go.packages/db/src/iam.ts: resolveIamDbUrl() uses @aws-sdk/rds-signer to generate an RDS Proxy IAM token, caching it for 14 minutes. Returns the fallback URL unchanged when AWS_REGION is unset.client.ts: replaced globalForPrisma singleton with a Proxy-based pattern. Both prisma and readPrismaClient start on the raw URL immediately, then asynchronously upgrade to an IAM URL when one is available.packages/db/package.json: added @aws-sdk/rds-signer: ^3.0.0.apps/apollo/src/common/lib/external/redis.tsgenerateElastiCacheToken() using @smithy/signature-v4 + @aws-crypto/sha256-js to generate SigV4-presigned tokens targeting the elasticache service.initIamAuth() method on RedisProvider calls cluster.auth(userId, token) on startup, then refreshes every 13 minutes via setInterval.clustercfg. URL) when all three env vars are set: REDIS_IAM_USER_ID, ELASTICACHE_REPLICATION_GROUP_ID, AWS_REGION.apps/apollo/package.json: added @aws-sdk/credential-providers, @smithy/signature-v4, @aws-crypto/sha256-js.apps/apollo/src/env.ts: added REDIS_IAM_USER_ID and ELASTICACHE_REPLICATION_GROUP_ID (both optional).Retool uses a plain direct new Redis(redisUrl) (not cluster mode), so no IAM changes are needed.
| Condition | Behaviour |
|---|---|
AWS_REGION not set | Use DATABASE_URL / REDIS_URL password as-is |
| AWS credentials unavailable | Go: falls back to sql.Open; TS: returns fallback URL |
| IAM token generation fails at runtime | Logs error; existing connection / URL password remains active |
Add these to the apollo and relevant services:
| Var | Description |
|---|---|
REDIS_IAM_USER_ID | ElastiCache ACL user name configured with IAM auth type |
ELASTICACHE_REPLICATION_GROUP_ID | ElastiCache replication group ID used as SigV4 hostname |
AWS_REGION | AWS region (already present on most services; used as fallback us-east-1 in Go) |
rds-db:connect on the proxy ARN for each DB user.elasticache:Connect on the replication group ARN for REDIS_IAM_USER_ID.Code-reviewed for correctness. The fallback paths (no AWS credentials → plain password auth) are the default for local dev and do not break existing behaviour. Token generation and caching logic follows the AWS-documented IAM auth patterns for RDS Proxy and ElastiCache.