Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/labd/django-iam-dbauth

Django backends to support IAM database authentication for AWS
https://github.com/labd/django-iam-dbauth

aws django iam postgresql python rds-iam-authentication

Last synced: about 6 hours ago
JSON representation

Django backends to support IAM database authentication for AWS

Host: GitHub
URL: https://github.com/labd/django-iam-dbauth
Owner: labd
License: mit
Created: 2019-09-11T08:28:03.000Z (over 5 years ago)
Default Branch: main
Last Pushed: 2024-09-12T09:03:37.000Z (4 months ago)
Last Synced: 2025-01-10T22:12:58.388Z (7 days ago)
Topics: aws, django, iam, postgresql, python, rds-iam-authentication
Language: Python
Homepage:
Size: 50.8 KB
Stars: 46
Watchers: 13
Forks: 26
Open Issues: 5
Metadata Files:
- Readme: README.md
- Changelog: CHANGES
- License: LICENSE

Awesome Lists containing this project

README

# Django IAM database backends

[![codecov](https://codecov.io/gh/labd/django-iam-dbauth/branch/master/graph/badge.svg)](https://codecov.io/gh/labd/django-iam-dbauth)
[![pypi](https://img.shields.io/pypi/v/django-iam-dbauth.svg)](https://pypi.python.org/pypi/django-iam-dbauth/)
[![readthedocs](https://readthedocs.org/projects/django-iam-dbauth/badge/)](https://django-iam-dbauth.readthedocs.io/en/latest/)
[![tests](https://github.com/labd/django-iam-dbauth/workflows/Python%20Tests/badge.svg)](https://github.com/labd/django-iam-dbauth/actions)

## Usage

```shell
pip install django-iam-dbauth
```

In your settings use the following

```python
DATABASES = {
"default": {
"HOST": "",
"USER": "",
"NAME": "",
"ENGINE": 'django_iam_dbauth.aws.postgresql',
"OPTIONS": {
"use_iam_auth": True,
"sslmode": "require", # See discussion on SSL below
"resolve_cname_enabled": True,
}
}
}
```

### SSL and PostgreSQL

When using IAM authentication with RDS, SSL is required. If it's not used, such as when using a CNAME (see below), login will be denied with the below error:

```
django.db.utils.OperationalError: FATAL: pg_hba.conf rejects connection for host "1.2.3.4", user "some_user", database "some_database", SSL off
```

### SSL and MySQL

Acquired Token won't work with MySQL if use RDS instance name, which is a CNAME record, as a HOST, because by default it will be resolved to a cannonical name by django-iam-dbauth. As a result the hostname of the token will bi different. To prevent the module from resolving CNAME, set "resolve_cname_enabled" to False.

### CNAME considerations

Currently, IAM authentication is not supported with CNAMEs. However, this package does CNAME resolution so that the
signed request for a password will work. The issue with this approach is that from the DB library's point of view, the
connection is initiated to the hostname as defined in the settings. If using SSL, certificate verification will fail.
In this case, for PostgreSQL you may want to set `sslmode` to `require` or `verify-ca`.

Further documentation:

* [PostgreSQL SSL modes](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION)
* [AWS guide on IAM DB authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html)